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Abstract.  We  extend  the  basic  system  relations  of  trace  inclusion,  trace 
equivalence,  simulation,  and  bisimulation  to  a  quantitative  setting  in 
which  propositions  are  interpreted  not  as  boolean  values,  but  as  ele¬ 
ments  of  arbitrary  metric  spaces.  Trace  inclusion  and  equivalence  give 
rise  to  asymmetrical  and  symmetrical  linear  distances,  while  simulation 
and  bisimulation  give  rise  to  asymmetrical  and  symmetrical  branching 
distances.  We  study  the  relationships  among  these  distances,  and  we 
provide  a  full  logical  characterization  of  the  distances  in  terms  of  quanti¬ 
tative  versions  of  Ltl  and  p-calculus.  We  show  that,  while  trace  inclusion 
(resp.  equivalence)  coincides  with  simulation  (resp.  bisimulation)  for  de¬ 
terministic  boolean  transition  systems,  linear  and  branching  distances  do 
not  coincide  for  deterministic  metric  transition  systems.  Finally,  we  pro¬ 
vide  algorithms  for  computing  the  distances  over  finite  systems,  together 
with  matching  lower  complexity  bounds. 
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1  Introduction 


We  consider  metric  transition  systems,  which  are  transition  systems  in  which  the 
predicates,  at  each  state,  are  interpreted  as  elements  of  generic  metric  spaces. 
Many  examples  of  metric  transition  systems  have  been  studied  in  the  literature. 
As  the  set  IR  of  real  numbers  is  a  metric  space  (when  equipped,  for  instance, 
with  the  metric  d(x,y)  =  \x  —  y |),  hybrid  systems  (where  clocks  and  hybrid 
variables  are  interpreted  in  IR)  and  priced  automata  (where  a  real- valued  “price” 
is  associated  with  each  state)  are  both  examples  of  metric  transition  systems. 
Kripke  structures  are  also  a  special  case  of  metric  transition  systems,  as  the  set 
{t,  f}  of  boolean  values  can  be  associated  with  the  metric  d( t,  t)  =  <2(f,  f)  =  0, 
and  d(T,  f)  =  <2(f,t)  =  1.  Indeed,  it  is  difficult  to  think  of  a  class  of  transition 
systems  that  has  been  proposed  in  the  literature,  and  that  cannot  be  cast  as  a 
metric  transition  system. 

Trace  inclusion,  trace  equivalence,  simulation,  and  bisimulation  are  classi¬ 
cal  system  relations  which  play  a  very  important  role  in  system  specification 
and  verification.  These  notions  are  defined  in  terms  of  the  equality  of  predicate 
valuations:  for  example,  trace  inclusion  holds  between  two  states  s,  t  if,  for  ev¬ 
ery  trace  from  s,  we  can  find  a  trace  from  t  with  equal  predicate  valuations. 
Once  the  predicate  valuations  belong  to  metric  spaces,  it  becomes  natural  to 
extend  these  system  relations  to  metrics,  that  capture  how  close  the  valuations 
are,  rather  than  requiring  equality.  For  example,  trace  inclusion  can  be  general¬ 
ized  to  a  metric,  where  the  distance  between  s  and  t  provides  a  bound  for  how 
closely  the  valuations  of  an  arbitrary  trace  from  s  can  be  matched  by  a  trace 
from  t.  Following  this  idea,  we  extend  the  classical  relations  of  trace  inclusion, 
trace  equivalence,  simulation,  and  bisimulation  to  a  metric  setting,  by  defining 
linear  and  branching  distances4.  Considering  distances,  rather  than  relations, 
leads  to  a  theory  of  system  approximations  [7, 18, 2],  enabling  the  quantification 
of  how  closely  a  concrete  system  implements  a  specification.  System  metrics, 
rather  than  relations,  are  also  appropriate  when  the  system  structure  is  derived 
from  experimental  observations,  so  that  the  predicate  valuations  are  subject 
to  measurement  errors.  In  this  case,  system  metrics  provide  useful  information 
about  the  similarity  of  system  behaviors,  while  relations,  relying  on  equality  in 
predicate  valuations,  are  unnecessarily  fine-grained. 

We  define  two  families  of  distances:  linear  distances,  which  generalize 
trace  inclusion  and  equivalence,  and  branching  distances,  which  generalize 
(bi) simulation.  We  relate  these  distances  to  the  quantitative  version  of  the  two 
well-known  specification  languages  Ltl  and  /i-calculus,  showing  that  the  dis¬ 
tances  measure  to  what  extent  the  logic  can  tell  one  system  from  the  other.  The 
distance  notions  arising  as  generalizations  of  trace  inclusion  and  simulation  are 
asymmetrical,  just  like  the  relations  they  generalize:  the  “simulation  distance” 
between  s  and  t  is  in  general  different  from  the  “simulation  distance”  between  t 
and  s.  We  call  these  asymmetrical  distances  directed  metrics,  preferring  this  term 

4  In  this  paper,  we  use  the  term  “distance”  in  a  generic  way,  applying  it  to  various 
types  of  metrics. 
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to  the  term  quasi-pseudometrics  used  elsewhere  in  the  literature  [9];  symmetri¬ 
cal  distances  will  be  called  undirected  metrics.  Thus,  for  the  sake  of  generality, 
we  develop  our  results  in  the  general  setting  where  predicates  are  evaluated  in 
spaces  endowed  with  directed  metrics. 

Our  starting  point  for  linear  distances  is  the  distance  \\a  —  pW^  between  two 
traces  a  and  p,  which  measures  the  supremum  of  the  difference  in  predicate 
valuations  at  corresponding  positions  of  a  and  p.  To  lift  this  trace  distance  to  a 
distance  over  states,  we  define  lds(s,t)  =  supCTGTr,(s)  inf p€ Tr^  ||ct  —  p||oo,  where 
Tr(s)  and  Tr(t)  are  the  set  of  traces  from  s  and  t,  respectively.  The  distance 
lds(s,t )  is  asymmetrical,  and  is  a  quantitative  extension  of  trace  containment: 
if  lds(s,t )  =  b,  then  for  all  traces  a  from  s,  there  is  a  trace  p  from  t  such 
that  ||<j  —  pH,*  <  b.  In  particular,  if  the  metric  spaces  where  the  predicates  are 
evaluated  assign  distance  0  only  to  identical  elements,  then  Tr(s )  C  Tr(t)  iff 
lds(s,t)  =  0.  We  define  a  symmetrical  version  of  this  distance  by  lds(s,t)  = 
ma x{lds(s,t),lds(t,s)},  yielding  a  distance  that  generalizes  trace  equivalence; 
thus,  lds(s,t)  is  the  Hausdorff  distance  between  Tr(s)  and  Tr(t). 

We  relate  the  linear  distance  to  the  logic  Qltl,  a  quantitative  version  of 
Ltl  [14].  When  interpreted  on  a  metric  transition  system,  Qltl  formulas  yield  a 
value  in  the  positive  reals  extended  with  infinity,  or  IR+U{oo}.  The  propositional 
formulas  of  Qltl  are  of  the  form  D(r,  c)  and  D(c,  r ),  where  r  is  a  predicate,  and 
c  a  constant.  The  formula  D (r.  c),  at  a  state,  yields  the  distance  of  the  valuation 
of  r  at  the  state  from  the  constant  c.  Both  D(r,c )  and  D(c,r )  are  present  as 
basic  formulas,  since  in  our  setting  based  on  directed  distances,  the  distance 
between  the  valuation  of  r  and  c,  and  the  distance  between  c  and  the  valuation 
of  r,  need  not  be  the  same.  The  formula  “next  p”  returns  the  (quantitative) 
value  of  the  subformula  p  in  the  next  step  of  a  trace,  while  “eventually  p”  seeks 
the  maximum  value  attained  by  p  throughout  the  trace.  The  logical  connectives 
“and”  and  “or”  are  interpreted  as  “min”  and  “max.” 

In  the  standard,  relational  setting,  for  a  relation  to  characterize  a  logic,  two 
states  must  be  related  if  and  only  if  all  formulas  from  the  logic  have  the  same 
truth  value  on  them.  In  our  metric  framework,  we  can  achieve  a  finer  char¬ 
acterization:  in  addition  to  relating  those  states  that  formulas  cannot  distin¬ 
guish,  we  can  also  measure  to  what  extent  the  logic  can  tell  one  state  from  the 
other.  We  give  two  kinds  of  characterizations.  We  show  that  for  arbitrary  metric 
transition  systems,  the  distances  provide  a  bound  for  the  difference  in  value  of 
Qltl  formulas:  precisely,  for  all  states  s,t  we  have  \ip(t)  —  <p(s)|  <  lds(s,t )  and 
<p{t)  —  ip(s)  <  lds(s,t).  Moreover,  we  show  that  for  finitely  branching  metric 
transition  systems,  such  characterizations  are  tight:  for  all  states  s,t  we  have 
lds(s,t)  =  supvGQLTL| ip{t)  -  <p(s)|  and  ldB{s,t)  =  supv6QLTL(< p(t)  -  ip{s)).  This 
tightness  result  does  not  hold  in  general  for  non-finitely-branching  metric  tran¬ 
sition  systems. 

We  then  study  the  branching  distances  that  are  the  analogous  of  simulation 
and  bisimulation  on  quantitative  systems.  A  state  s  simulates  a  state  t  via  R 
if  the  proposition  valuations  at  s  and  t  coincide,  and  if  every  successor  of  s  is 
related  via  R  to  some  successor  of  t.  We  generalize  simulation  to  a  distance  bdAs 
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over  states.  If  bdAs(s,t)  =  b,  then  the  valuations  of  corresponding  predicates  at  s 
and  t  differ  by  at  most  b,  and  every  successor  of  s  can  be  matched  by  a  successor 
of  t  within  &dAs-distance  b.  In  a  similar  fashion,  we  can  define  a  distance  bdSa 
that  is  a  quantitative  analogous  of  bisimulation;  such  a  distance  has  been  studied 
in  [7, 18].  We  relate  these  distances  to  Qmu,  a  quantitative  fixpoint  calculus  that 
closely  resembles  the  /<-calculus  of  [4],  and  is  related  to  the  calculi  of  [11, 5]  (see 
also  [10,15]).  Similarly  to  Qltl,  the  basic  formulas  of  Qmu  are  of  the  form 
D(r,c )  and  D(c,r),  for  a  predicate  r  and  a  valuation  c.  The  modal  formulas 
VO p,  30 p  compute  respectively  the  least  and  greatest  value  of  a  subformula  p 
at  all  successor  states;  the  logical  connectives  “and”  and  “or”  are  interpreted  as 
“min”  and  “max” ,  and  the  fixpoints  are  given  a  quantitative  interpretation. 

Again,  we  provide  a  twofold  logical  characterization  of  the  branching  dis¬ 
tances  in  terms  of  Qmu.  We  show  that  for  arbitrary  metric  transition  systems, 
we  have  | ip(t)  —  ip{s)\  <  bdSs(s,t)  and  ip(t)  —  ip(s)  <  bdAs(s,t),  where  ip  is  any 
QMU-formula,  and  ip  is  any  “universal”  QMU-formula,  i.e.,  any  formula  of  Qmu 
which  does  not  contain  30.  Moreover,  if  the  metric  transition  system  is  finitely 
branching,  then  we  have  the  stronger  result  bdSa(s,t)  =  supveqMU  \<p(t)  —  y>(s)| 
and  bdAs(s,t )  =  supvg3QMU(</?(t)  —  y>(s)),  where  3Qmu  is  the  fragment  of  Qmu 
in  which  30  does  not  occur;  these  results  do  not  hold  in  general  for  non-finitely- 
branching  metric  transition  systems. 

We  relate  linear  and  branching  distances,  showing  that  just  as  simulation  im¬ 
plies  trace  containment,  so  the  branching  distances  are  greater  than  or  equal  to 
the  corresponding  linear  distances.  However,  we  show  that  determinism  plays  a 
lesser  role  in  the  quantitative  setting  than  in  the  standard  boolean  setting:  while 
trace  inclusion  (resp.  equivalence)  coincides  with  simulation  (resp.  bisimulation) 
for  deterministic  boolean  transition  systems,  we  show  that  linear  and  branching 
distances  do  not  coincide  for  deterministic  quantitative  transition  systems.  Fi¬ 
nally,  we  present  algorithms  for  computing  linear  and  branching  distances  over 
quantitative  transition  systems.  We  show  that  the  problem  of  computing  the  lin¬ 
ear  distances  is  PSPACE-complete,  and  it  remains  PSPACE-complete  even  over 
deterministic  systems,  showing  once  more  that  determinism  plays  a  lesser  role 
in  quantitative  transition  systems.  The  branching  distances  can  be  computed  in 
polynomial  time  using  standard  fixpoint  algorithms  [4]. 

We  present  all  our  results  in  a  discounted  version,  in  which  distances  occur¬ 
ring  i  steps  in  the  future  are  multiplied  by  a*,  where  a  is  a  discount  factor  in 
[0,1].  This  discounted  setting  is  common  in  the  theory  of  games  (see  e.g.  [8]) 
and  optimal  control  (see  e.g.  [6]),  and  it  leads  to  robust  theories  of  quantita¬ 
tive  systems  [4].  In  the  discouned  setting,  behavioral  differences  arising  far  into 
the  future  are  given  less  relative  weight  than  behavioral  differences  affecting  the 
present  or  the  near  future.  Hence,  the  discounted  setting  leads  to  notions  of 
“local  similarity”  that  enjoy  many  pleasant  mathematical  properties. 
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2  Preliminaries 


We  denote  by  IR  the  set  of  real  numbers,  by  IR+  the  set  of  non-negative  reals 
and  we  set  IR+  =  1R+  U  {oo}.  We  extend  the  operations  ■  to  IR+  as  usual: 
namely,  oo  —  oo  =  0,  00  +  00  =  00,  and  00  ±  x  =  00  for  all  x  G  IR,  00  •  x  =  00 
for  x  €  IR  \  {0}.  For  two  numbers  x,y  €  IR+,  we  write  x  U  y  =  max(x,  y) 
and  x  n  y  =  min(x,y).  We  lift  the  operators  LI  and  n,  and  the  relations  <,  < 
to  functions  via  their  pointwise  extensions.  Precisely,  for  n-argument  functions 
fi,  f 2  :  A\  x  •  •  •  x  An  -+  B,  we  write  /1  U  /2  for  the  function  g  :  A\X-  ■  -  xAn  — >  B 
defined  by  g(x  1,...,xn)  =  fi(xi,...,xn)  U  f2(x  1,...,xn),  and  similarly  for 
H;  we  write  /1  <  /2  if  /i(xi, . . . ,  x„)  <  f2(xi, . . . ,  xn)  for  all  xL  e  Aly  . .., 
xn  €  An,  and  we  write  /1  <  /2  if  /1  <  /2  and  if  there  are  some  x\  £  A\, 
. . . ,  xn  €  An  for  which  fi(x±, . . . ,  xn)  <  /2(xi, . . . ,  xn).  Given  a  function  d  : 
X 2  -»  M+,  we  denote  by  Zero (d)  =  {( x,y )  €  X 2  |  d(x,y )  =  0}  its  zero  set. 
Given  a  sequence  {x^giN,  we  commonly  write  lim^  (resp.  sup^  infjXi)  for 
lim^oo  Xi  (resp.  sup^^  W,,  inf^oo  Xi).  The  following  lemma  summarizes  some 
simple  facts  about  sequences  of  real  numbers  that  will  be  needed  in  subsequent 
proofs. 

Lemma  1  Let  I  be  a  set  and  {xi}ie %,  {y{\ie %  be  two  families  of  numbers  in 
IR.  The  following  assertions  hold. 

1.  If  Xi~yi  <  c  for  all  i  el,  then  sup^  Xi  —  sup^  yi  <c  and  inf ,  Xi  —  inf ,  yi  <  c. 

2.  Let  X ,  Y  be  sets  and  f  :  X  x  Y  — >  IR  be  a  function.  Then 

sup  inf  f(x,y)  <  inf  sup  f(x,y).  □ 

xexv^Y  y^Y  xex 


2.1  Metrics  and  metric  spaces 

We  define  directed  and  undirected  metrics,  where  undirected  metrics  are  required 
to  be  symmetrical  and  directed  metrics  are  not.  For  example,  the  travel  distance 
between  two  points  in  a  city  with  one-way  streets  is  a  directed  metric.  Our  di¬ 
rected  and  undirected  metrics  generalize  the  usual  metrics,  in  that  elements  that 
have  metric  0  are  not  required  to  be  identical.  This  terminology,  used  through¬ 
out  the  paper,  differs  somewhat  from  the  standard  one:  directed  metrics  have 
been  called  generalized  pseudometrics  [9] .  We  prefer  the  term  “directed” ,  as  it 
is  more  specific,  and  parallels  the  distinction  between  directed  and  undirected 
graphs.  The  definitions  are  as  follows. 

Definition  1  We  introduce  the  following  terminology. 

1.  A  directed  metric  on  a  set  X  is  a  function  d  :  X  x  X  -»  IR+  that  satisfies 

—  d(x,  x)  =  0  for  all  x  €  X; 

—  d(x,  z )  <  d(x,  y)  +  d(y,  z )  for  all  x,y,z  €  X  (triangle  inequality). 

2.  An  undirected  metric  is  a  directed  metric  d  :  X  x  X  -+  1R+  that  is  symmet¬ 

rical,  that  is,  such  that  d(x,y)  =  d(y,x)  for  all  x,y  €  X.  Undirected  metrics 
are  also  called  simply  metrics.  □ 
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We  will  often  define  a  directed  metrics,  and  obtain  the  corresponding  undirected 
metrics  by  symmetrization. 

Definition  2  (symmetrization)  Given  a  directed  metric  d  on  a  set  X,  we 
denote  by  d  its  symmetrization,  defined  by  d(x,y)  =  d(x,y)  U  d(y,x)  for  all 
x,  y  £  X .  Obviously,  for  all  x,  y  £  X,  we  have  d(x,  y)  <  d(x,  y).  □ 

In  a  Kripke  structure,  the  value  of  a  proposition,  at  each  state,  is  a  member  of 
the  truth-value  set  {t,  f).  We  extend  this  setting  by  evaluating  propositions,  at 
each  state,  to  elements  of  metric  spaces.  A  metric  space  is  a  set  with  a  metric 
defined  on  it;  for  the  sake  of  generality,  we  assume  only  that  the  metric  is  a 
directed  metric. 

Definition  3  A  directed  metric  space,  or  shortly  a  metric  space,  is  a  pair 
(X,  d),  where  d  is  a  directed  metric  on  X.  □ 

Example  1  An  example  of  a  metric  space  is  the  space  of  RGB-represented 
colors,  where  the  distance  between  colors  c\  and  C2  represents  the  difference 
in  brightness  between  c\  and  C2.  The  space  is  then  X  =  [0,  l]3,  and  for  x  = 
{xi,X2,xs)  and  y  =  {yi , 2/2 , 2/3)  we  define  d(x,y)  =  \x  ■  b  —  y  ■  b\,  where  b  is  a 
vector  giving  the  brightness  of  each  basic  color,  and  ■  is  the  internal  product.  It 
is  easy  to  see  that  (X,  d)  is  a  directed  metric  space.  In  particular,  d  is  undirected, 
and  note  that  different  colors  may  have  the  same  brightness.  □ 

Example  2  Another  example  of  metric  space  is  X]r  =  (IR,  d\ r),  with  d(x,  y)  — 

x  —  y  =f  max{x  —  y,  0}  for  x,  y  £  IR.  It  is  immediate  that  d  is  a  directed  metric. 

□ 

Example  3  A  particularly  simple  example  of  metric  space  is  X®  =  ( X,ds ) 
is  X  =  {0, 1}  and  d(x,y)  =  \x  —  y\  for  x,y  £  {0, 1).  This  is  the  usual  space  of 
“boolean”  valuations;  it  is  immediate  that  d  is  an  undirected  metric.  □ 

When  providing  logical  characterizations  for  the  distances,  we  will  first  consider 
logics  in  which  any  element  of  the  metric  space  can  be  used  as  a  constant.  If  the 
metric  space  is  uncountable,  however,  this  leads  to  the  consideration  of  logics 
with  uncountably  many  symbols.  If  a  metric  space  is  separable,  each  element 
can  be  approximated  by  arbitrarily  close  elements  of  a  countable  basis.  In  this 
case,  we  will  see  that  logics  with  countably  many  symbols  (corresponding  to  the 
elements  of  the  basis)  will  suffice. 

Definition  4  (separable  directed  metric  space)  A  directed  metric  space 
(X,  d)  is  separable  if  there  is  a  countable  basis  B  C  X  such  that,  for  all  x  £  X 
and  all  e  >  0,  there  is  y  £  B  with  d(x,  y)  <  e  and  d(y,  x)  <  e.  □ 

2.2  Metric  transition  systems 

A  metric  transition  system  is  a  transition  system  where  the  value  of  a  propo¬ 
sition,  at  each  state,  is  an  element  of  a  directed  metric  space.  To  simplify  the 
notation,  we  assume  throughout  the  paper  an  underlying  set  AP  of  propositions, 
where  each  proposition  r  £  S  takes  values  in  a  metric  space  (Xr,  dr). 
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Definition  5  (valuations)  A  valuation  u  of  a  set  £  C  AP  of  propositions  is 
a  function  with  domain  £  that  assigns  to  each  r  £  £  an  element  q  £  Xr  of 
the  metric  space  (X,. .  dr)  corresponding  to  r.  We  denote  by  U[£]  the  set  of  all 
valuations  of  £.  □ 

Definition  6  (metric  transition  system)  A  metric  transition  system  (MTS) 
is  a  tuple  M  =  (5,  r,  £,  [•])  consisting  of  the  following  components: 

—  a  set  5  of  states; 

—  a  transition  relation  r  C  5  x  5; 

—  a  finite  set  £  C  AP  of  propositions; 

—  a  function  [•]:  S  — >  W[X]  which  assigns  to  each  state  s  £  S  a  valuation. 

For  a  state  s  £  S,  we  write  t(s)  for  {f  €  S  |  (s,f)  €  r).  We  require  that  M  is 
non-blocking:  for  all  s  £  S,  the  set  t(s)  is  non-empty.  □ 

We  distinguish  the  special  classes  of  deterministic  and  finitely  branching  MTSs. 

Definition  7  (special  types  of  MTSs)  Let  M  =  (S,t,  [■])  be  a  MTS. 

—  We  say  that  M  is  deterministic  if  for  all  states  s  £  S  and  t,  t'  £  t(s)  with 

t  7^  t',  there  is  r  £  £  such  that  [t](r)  [f'](r). 

—  We  say  that  M  is  finitely  branching  if  t(s)  is  finite  for  all  s  £  S. 

—  We  say  that  M  is  separable  if,  for  all  r  £  £,  the  metric  space  ( qr,dr )  is 

separable.  In  this  case,  we  denote  by  Br  a  countable  basis  for  ( qr,dr ).  □ 

2.3  Paths  and  traces 

Given  a  set  A  and  a  sequence  n  =  aoGqo^  •  •  •  £  Au .  we  write  7r^  for  the  i-th 
element  oq  of  77,  and  we  write  77*  =  OjOj+iai+2  ■  ■  ■  for  the  (infinite)  suffix  of  n 
starting  from  77,. 

Definition  8  (paths  and  traces)  Consider  an  MTS  M  =  ( S ,  r,  £,  [•]).  A  path 
of  M  is  an  infinite  sequence  of  states  7 r  G  S'"  such  that  (71 r,,  7r.;+i)  £  t  for  alH  £  N. 
Given  a  state  s  £  S,  we  write  Paths  m(s)  for  the  set  of  all  paths  of  M  starting 
from  s;  we  omit  the  subscript  M  when  clear  from  the  context. 

A  trace  is  an  infinite  sequence  a  £  U[£]u .  Every  path  n  of  M  induces  a  trace 
[77]  =  [710] [71-1  ][7t2]  •  •  • .  We  write  TrM(s)  =  {[77]  |  77  £  PathsM(s)}  for  the  set  of 
traces  of  M  starting  from  the  state  s  £  S,  and  we  omit  the  subscript  M  when 
clear  from  the  context.  □ 

2.4  Branching  and  trace  relations 

We  define  simulation,  bisimulation,  trace  containment,  and  trace  equivalence  for 
MTSs  as  usual. 

Definition  9  ((bi) simulation,  trace  containment/equivalence)  For  an 

MTS  M  =  (5,  r,  £,  [•]),  the  simulation  relation  <sim  (resp.  the  bisimulation 
relation  &bis)  is  the  largest  relation  R  C  S  x  S  such  that,  for  all  s  Rt,  the 
following  Conditions  1  and  2  (resp.  1,  2,  and  3)  hold: 
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1.  [a]  =  [t]; 

2.  for  all  s'  G  r(s),  there  is  t'  G  r(t)  with  s'  Rt'; 

3.  for  all  t'  G  r(t),  there  is  s'  G  r(s)  with  s'  Rt' . 

For  s,t  G  S,  we  write  s  Qt.r  t  if  Tr(s)  C  Tr(f),  and  s  =tr  t  if  Tr(s )  =  7V(f).  □ 

2.5  Discussion 

We  note  that,  for  some  of  the  results  on  system  metrics,  it  would  have  been 
sufficient  to  define  a  metric  transition  system  as  a  system  that  maps  each  state 
into  an  element  of  a  metric  space,  bypassing  thus  the  introduction  of  a  set  of 
predicates,  and  the  related  machinery.  Such  a  definition,  of  course,  is  a  special 
case  of  the  one  we  adopt,  and  corresponds  to  considering  metric  transition  sys¬ 
tems  with  only  one  proposition.  The  main  function  of  predicates  is  to  enable  us 
to  develop  the  connection  between  system  metrics  and  logics,  since  the  logics 
refer  to  quantities  via  the  predicates. 

In  an  MTS  (5,  r,  E,  [•]),  we  call  each  rGfa  “proposition” ,  rather  than  “vari¬ 
able”,  in  spite  of  the  fact  that  r  takes  values  in  a  generic  metric  space  (Xr.  dr). 
rather  than  in  the  set  of  truth- values.  Our  choice  of  terminology  is  motivated 
by  the  fact  that  in  the  system  logics  we  consider,  the  symbol  r  plays  a  (syntac¬ 
tic)  role  that  is  analogous  to  that  of  ordinary  propositions.  We  reserve  instead 
the  term  “variable”  for  the  variables  used  to  construct  fixpoint  expressions  in 
//-calculus. 

3  Linear  Distances  and  Logics 

3.1  Linear  distances 

Throughout  the  paper,  unless  specifically  noted,  we  consider  a  fixed  MTS  M  = 
( S ,  r,  E,  [•]).  We  proceed  by  defining  the  linear  distances  between  valuations,  then 
between  traces  and  finally  between  states.  The  propositional  distance  between 
two  valuations  is  the  maximum  difference  in  their  proposition  evaluations,  where 
differences  in  the  assignments  of  proposition  r  are  measured  by  the  metric  dr. 

Definition  10  (propositional  distance)  We  define  the  propositional  dis¬ 
tance  pd  :  U[SY  K+,  for  all  valuations  u,v  G  U\E\,  as  pd(u,v)  = 
ma xres  dr(u(r),v(r)).  □ 

For  ease  of  notation,  we  write  pd(s,t )  for  pd([s].  [t]).  If  dr  is  a  distance  for 
each  r  G  E,  then  given  u,v  G  U[E]  we  have  (u,v)  G  Zero  (pd)  iff  u  =  v,  and 
(u,v)  G  Zero  (pd)  iff  u  <  v.  The  trace  distance  is  the  pointwise  extension  of 
the  propositional  distance  to  infinite  sequences  of  valuations,  where  the  value  at 
position  i  is  discounted  by  a*,  for  a  discount  factor  a  G  (0, 1]. 

Definition  11  (trace  distance)  We  define  the  trace  distance  tda  :  U [Ef°  x 
U[E]U  — »  IR+  by  letting,  for  a,  p  G  U[AP]U  and  a  G  (0,1],  tda(a,p)  = 
sup  imalpd(ai,pi).  □ 
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It  is  easy  to  show  that  tda  is  a  directed  metric.  The  following  result  states 
that  if  we  base  the  notion  of  trace  distance  on  pd  instead  of  on  pd  (i.e.  if  we 
replace  pd  by  pd  in  the  definition  above),  we  obtain  the  symmetrization  tda  of 
tda-  Moreover,  the  kernel  of  this  symmetrization  is  trace  equality. 

Lemma  1.  For  all  sequences  a,  p  £  U[E]U  and  all  a  £  (0,1],  we  have 
tda(a,  p)  =  supimalpd{ai}  pi)  and  ( a,p )  £  Zero (tda)  <=>•  a  =  p. 

The  linear  distances  between  two  states  are  obtained  by  lifting  trace  distances  to 
the  set  of  all  traces  from  the  two  states,  as  in  the  definition  of  Hausdorff  distance 
between  sets. 

Definition  12  (linear  distance)  We  define  the  two  linear  distances  ld&  and 
lds  over  S  as  follows,  for  s,t  £  S  and  a  £  (0, 1]: 

lda{s,t)  =  sup  inf  tda(a,p )  ldsa(s,t )  =  sup  inf  tda(a,p)  □ 

aETr(s)P^Tr(t)  aeTr(s)  peTr(t) 

One  can  easily  check  that,  for  all  a  £  (0, 1],  the  functions  Id “  and  ldsa  are 
directed  metrics,  while  ld%  and  ldsa  are  undirected  ones.  Intuitively,  the  distance 
ldsa  is  a  quantitative  extension  of  trace  containment:  for  s,t  £  S,  the  distance 
ldsa(s,t)  measures  how  closely  (in  a  quantitative  sense)  a  trace  from  s  can  be 
simulated  a  trace  from  t.  The  symmetrization  of  ldsa  is  ldsa.  which  is  related  to 
trace  equivalence.  Indeed,  we  will  see  in  the  next  section  that  it  is  possible  to 
define  a  quantitative  logic  Qltl  such  that  the  valuation  of  Qltl  formulas  at  s 
and  t  can  differ  by  at  most  ldsa(s,t),  and  similarly,  the  valuation  of  any  Qltl 
formula  at  t  is  at  most  ldsa(s,t )  below  the  valuation  at  s. 

Example  4  Consider  the  case  where  (Xr,dr)  =  Xir  for  all  r  £  E,  that  is,  all 
propositions  are  interpreted  as  real  numbers,  and  dr(a,b)  is  a  measure  of  how 
much  greater  is  a  than  b.  In  this  setting,  for  a  =  1  the  distances  Id “  and  ld% 
have  the  following  intuitive  characterization.  For  a  trace  a  £  U[E]U  and  c  £  1R, 
denote  by  a  —  c  the  trace  defined  by  (a  —  c)k(r)  =  <7fc(r)  —  c  for  all  k  £  N  and 
r  £  E:  in  other  words,  a  —  c  is  obtained  from  a  by  decreasing  all  proposition 
valuations  by  c.  For  all  s,  t  £  S,  if  ld\ (s,  t)  =  c  then  for  every  trace  a  from  s  there 
is  a  trace  p  from  t  such  that  p  >  a  —  c.  This  means  that  ldf(s ,  t)  is  a  “positive” 
version  of  trace  containment:  for  each  trace  a  of  s,  the  goal  of  a  trace  p  from  t 
is  not  that  of  being  close  to  a,  but  rather,  that  of  not  being  below  a  —c.  □ 

Theorem  1  For  all  finitely  branching  MTSs  ( S ,  r,  E,  [•])  and  for  all  a  £  (0, 1], 
we  have  C4r=  Zero (ldsa)  and  =tr=  Zero (ldsa). 

Proof.  Let  (S,  r,  E ,  [•])  be  an  MTS  with  s,t  £  S  and  a  £  (0, 1].  It  is  easy  to  see 
that  s  Qtr  t  implies  ldsa(s,t)  =  0.  To  prove  the  converse,  assume  that  ldsa(s,t)  = 
0  and  let  a  £  Tr(s).  Then,  there  are  traces  po,  pi,  pi  ■  ■  ■  £  Tr(t)  such  that 
tda(a,  pi)  <  ~  for  all  i.  Due  to  the  finitely  branching  property,  there  exists  a 
trace  p*  such  that  tda(<J,  p*)  <  E  for  all  i.  This  means  that  tda(a,p*)  =  0, 
which,  by  Lemma  1,  is  the  same  as  a  =  p.  Now,  the  result  for  =tr  and  ldsa  easily 
follows.  □ 
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Fig.  1.  An  MTS  showing  the  difference  between  Zero (ldsa)  and  □  t,  ■  The  proposition  r 
is  evaluated  in  the  metric  space  Xr. 


Fig.  2.  An  MTS  showing  the  difference  between  W“,  ldsa ,  ld% ,  and  ldsa.  The  proposition 
r  is  evaluated  in  the  metric  space  Xr. 


To  show  that  the  result  above  does  not  hold  for  infinitely  branching  systems, 
consider  the  MTS  in  Figure  1,  where  the  proposition  r  is  again  evaluated  in 
the  metric  space  X]r.  This  MTS  has  infinitely  many  states  so,  t o,  t\.  t2,--. 
and  transitions  (so,so),  (to,U)  and  ( U,U )  for  each  i  e  N.  Moreover,  we  put 
[r](«0)  =  [r](t0)  =  0  and  [t*] (<*)  =  10~*  for  i  >  0.  Then,  we  have  for  all  a  €  (0, 1] 
that  (so,to)  G  Zero (ldsa),  but  so  %tr  h-  To  obtain  an  MTS  with  ldsa(to,uo)  =  0, 
but  to  ^ tr  uo,  we  let  uo  be  a  state  that  is  the  exactly  same  as  to  (i.e.  same  valu¬ 
ation  and  same  successor  states),  except  that  it  has  a  self-loop  (i.e.  a  transition 
(uo,u0)  G  t). 

The  relations  among  linear  distances  are  summarized  by  the  following  theo¬ 
rem. 

Theorem  2  The  following  assertions  hold. 

1.  For  all  MTSs,  and  for  all  a  G  (0, 1],  we  have  Id %  <  ld%,  Id %  <  ldsa, 
ldsa  <  ldsa,  and  ld%  <  ldsa;  moreover,  for  a  G  (0,1]  the  inequalities  can¬ 
not  be  replaced  by  equalities. 

2.  For  a  G  (0, 1],  the  distances  ldsa  and  Id are  incomparable:  there  is  an  MTS 
with  states  s,t,z  G  S  such  that  ldsa(s,t)  <  ld%(s,t )  and  ldsa(t,z )  >  ld%(t,z). 

Proof.  The  first  and  third  inequalities  of  statement  (1)  are  trivial,  while  the 
second  and  fourth  follow  immediately  from  the  fact  that,  for  all  traces  a  and  p, 
td(a,p)  <  td(a,p).  For  a  G  (0, 1]  and  the  MTS  in  Figure  2,  we  have 


lda(S Oj  to)  —  0 
ldsa(so,  to)  =  0 
Id*  (so .,  to)  =  a 
lcPa(so,to)  =  a 


Id  a  (to,  Uo)  —  0 
ldsa(t0,u0)  =  a 
ld%(t0,u0)  =  0 
l(Fa(to,u0)  =  a 


ldaa(uo,  to)  —  0 
ldsa(u0,to)  =  0 
ld%(u0,to)  =  0 
l<Fa(u0,to)  =  a 
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Thus,  we  have  an  example  where  Id “  7^  ldsa,  ldaa  7^  Id “,  ZcZ^  7^  Zd^,  ZcZ^  7^  Zd^, 
and  neither  ZcZ^  <  ld%  nor  ldsa  >  ld%.  □ 

Next,  we  show  that  the  linear  distances  are  robust  with  respect  to  perturbations 
in  the  state  valuations:  small  changes  in  the  proposition  valuations  causes  small 
changes  in  the  distances.  Given  two  state  valuations  [-]i ,  [-]2  :  S  — >■  U\E],  we 
define  their  directed  distance  by: 

oZ([-]i ,  H2)  =  sup  max  dr([s]i(r),  [s]2(r)) 
ses  rtz 

Moreover,  for  a  state  valuation  /  :  S  — >  U[E\  and  a  €  (0, 1],  we  write  ldaja,  ld^a 
for  the  distances  defined  as  in  Definition  12,  using  /  as  the  state  valuation. 

Theorem  3  (linear  distance  robustness)  For  all  a  £  (0, 1],  all  predicate 
valuations  [-]i ,  [-]2,  and  all  s,t  £  S,  we  have 

^f-]i,a(M)  -  ^f.]2,a(M)  <  d([-]i,  [']2)  +d([-]2,  [-]i) 

\ldl]ua(s,t)-ldl]2}OC(s,t) |  <  2-d([-]1,[-]3) 

Proof.  The  result  follows  by  showing  that  the  trace  distance  between  two  traces 
p  and  a,  measured  under  [-]i  and  [-]2,  differs  by  at  most  cZ([-]i,  [-]2)  +  d([-]2,  [-]i). 
The  key  step  consists  in  noting  that,  for  any  r  €  E,  from  the  triangular  inequality 

dr([s]i(r),[t]i(r))  <  dr([.s]i(r),  [s]2(r))  +  dr([s]2{r),[t]2(r))  +  dr([t]2(r),[t] i(r)) 

follows 

dr([s]i(r),  [Z]i(r))  -  dr{[s]2{r),  [t]2(r))  <  dr([s]i(r),  [s]2(r))  +  dr{[t]2{r),  [Z]i(r)) 

<d([-]i,[-]2)  +  d([-]3l[-]i). 

Now  the  result  follows  by  repetitive  application  of  Lemma  1(1).  □ 


3.2  Quantitative  linear-time  temporal  logic 

The  linear  distances  introduced  above  can  be  characterized  in  terms  quantitative 
linear-time  temporal  logic  (Qltl),  a  quantitative  extension  of  linear-time  tem¬ 
poral  logic  [14]  which  includes  quantitative  versions  of  the  temporal  operators 
and  logic  connectives.  Following  [7],  Qltl  has  a  “threshold”  operator,  enabling 
the  comparison  of  a  formula  against  a  real  constant.  The  Qltl  formulas  over  a 
set  E  of  propositions  are  generated  by  the  following  grammar: 

¥>  ::=  D(r,  c)  |  D(c,  r)  \  ip  A  ip  \  tp  V  tp  \  Oaip  \  Oaip 

Here  r  £  E  is  a  proposition,  c  €  [J reAP  is  a  constant  and  a  £  (0, 1]  a  discount 
factor.  We  assume  that,  in  a  term  of  the  form  D(r,  c)  or  D(c,  r),  we  have  c  £  Xr. 
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A  formula  ip  assigns  a  value  [y>](/o)  £  IR+  to  each  trace  a  C  U[E]W: 

[  D{r,c)\(a)  =  dr(a0{r),c) 

[D(c,r)](a)  =  dr(c,a0(r)) 

Vpi  Ay)2](cr)  =  bil(o-)  n  [^2](cr) 

YP\  V  ¥>2](ct)  =  bi](a)  U  [^2] (a) 

[Oa^](a)  =  a-J^Ka1) 

[Oa^](c7)  =  sup{a*  •  Iy>](al)  |  i  >  0} 

A  Qltl  formula  p  assigns  a  real  value  [(/?](s)  £  1R+  to  each  state  s  of  a  given 
MTS,  by  defining 

M(«)  =  inf{M(p)  \p£  Tr(s)}. 

We  note  that  the  above  definition  could  also  be  phrased  in  terms  of  sup  over 
all  traces  from  s,  rather  than  inf.  However,  as  our  setting  is  based  on  distances, 
the  inf  operator  most  closely  corresponds  to  the  universal  quantification  over  all 
paths  present  in  the  classical  definition  of  LTL  semantics. 

For  a  £  (0, 1],  we  denote  by  Qltl0  the  set  of  formulas  containing 
only  discount  factors  smaller  than  or  equal  to  a.  Furthermore,  for  ops  C 
{0,0 ,D(c,r),D(r,c)},  we  denote  by  Qltl0  \  ops  the  set  of  formulas  which 
do  not  employ  the  operators  in  ops. 

Notice  that  Qltl  is  a  proper  extension  to  the  fragment  of  Ltl  without 
the  Until  operator,  in  the  following  sense.  Consider  the  metric  space  E  = 
({0, 1},  \xy.\x  —  y |).  Any  Kripke  structure  M  has  an  obvious  translation  to  an 
MTS  M1  over  E.  Moreover,  any  Ltl  formula  in  positive  normal  form  can  be 
translated  into  a  Qltl  formula  </?'  by  adding  the  discount  factor  1  as  a  subscript 
to  all  temporal  operators  and  replacing  r  and  t  with  d(r,  0)  and  d(r,  1),  respec¬ 
tively.  Then,  p  is  true  on  a  Kripke  structure  M  if  and  only  if  p'  evaluates  to  1 
on  M'. 


3.3  Logical  characterization  of  linear  distances 

Linear  distances  provide  a  bound  for  the  difference  in  valuation  of  Qltl  formulas. 
We  begin  by  relating  distances  and  logics  over  traces. 

Lemma  2  For  all  MTSs  (S,  r,  E,  [■]),  all  a  £  (0,1]  and  traces  a,  p  £  UlE]^ , 
the  following  holds. 

For  all  ip  £  QLTLa  \  {D(r,c)}  :  tda(a,p)  >  [^(/o)  -  M(ct); 

for  all  ip  £  Qltl„  \  {D(c,r)}  :  tda(a,p )  >  M(a)  -  [</?](p); 

for  all  ip  £  Qltl0  :  tda{a,p )  >  IMQo)  -  [y>](a)|. 

Proof.  Let  us  consider  the  first  assertion.  We  proceed  by  structural  induction 
on  ip.  If  ip  =  D(c,r),  using  triangle  inequality  we  get  [¥>](/?)  —  = 
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d(c,  [/)o](r))  -  d(c,  [<70](r))  <  d([a0](r),  [p0](r))  <  pd(a0,p0)  <  tda(a,p). 

If  ip  =  Oaip,  by  inductive  hypothesis  we  have  that,  for  all  i  £  N,  MM)  — 
MM)  <  tda(p\ol)  and  thus  a1  ■  MM)  -  a1  ■  MM)  <  a1  •  tda(p\al)  < 
tda(p,cr).  Then,  by  Lemma  1, 

MM  -  MM  =  sup  a*  •  MW)  -  sup  a3  ■  MW)  <  tda{p,a). 

i€N  j€  N 

Similar  observations  hold  for  the  remaining  cases. 

The  second  assertion  can  be  proved  in  symmetrical  fashion.  The  third  asser¬ 
tion  can  be  easily  proved  along  similar  lines.  □ 

The  first  result  of  the  previous  lemma  is  tight  in  two  respects:  both  replacing 
QLTLa\{D(r,c)}  with  QLTLa  and  replacing  MM  “MM  with  IMG9)- MM  I 
render  the  result  false.  The  second  assertion  is  also  tight  in  a  similar  sense.  The 
following  theorem  uses  the  linear  distances  to  provide  the  desired  bounds  for 
Qltl. 

Theorem  4  For  all  MTSs  (S', r,  E.  [■]),  all  a  £  (0, 1]  and  s,t  £  S,  we  have: 
For  all  (p  £  Qltlq  \  {D(r,  c)}: 

id*{s,t)  >  MW  -  MOO  and  idaa(s,t)  >  |MW  -  M(«)l; 

For  all  ip  £  QLTLa: 

idsa(s,t)  >  MW  -  M(«)  and  M(M)  >  |MW  -  MWI- 

Proof.  We  first  prove  that  ldaa(s,t)  >  MW  —  M(s)- 
ld^(s,t)  =  sup  inf  tda(a,p) 

&E  Tr(s )  P ^  Tr(t) 

>  sup  inf  (MM  “MM)  by  Lemma  2, 

creTV(s)  p€Tr(t) 

=  inf  .MM  -  “f  MM 

p£Tr(t)  cr(=.Tr(s ) 

=  MW  -  MM- 

The  result  for  ld%  is  an  immediate  consequence.  The  statements  concerning  ldsa 
and  ldsa  follow  in  a  similar  way  from  Lemma  2.  □ 

The  results  for  ldsa  and  ldsa  are  the  quantitative  analogous  of  the  standard 
connection  between  trace  containment  and  trace  equivalence,  and  Ltl.  For  in¬ 
stance,  the  result  about  ldsa  states  that,  if  ldsa(s,t )  =  c,  then  for  every  for¬ 
mula  <p  £  QLTLa  and  every  trace  a  from  s,  there  is  a  trace  p  from  t  such  that 

MM  >  MM  -c. 

We  next  show  that,  for  finitely  branching  systems,  Qltl  provides  a  full  log¬ 
ical  characterization  of  the  linear  distances,  meaning  that  the  distinguish¬ 
ing  power  of  the  logic  is  exactly  the  same  as  the  one  of  the  distances.  We 
start  with  a  technical  lemma.  Given  two  traces  a  and  p,  an  integer  to  and 
a  discount  factor  a,  let  the  bounded  distance  between  a  and  p  be  defined  as 
btd™(a,p)  =  rnax0<Km  alpd(ai}pi).  Clearly,  tda(a,  p)  =  limm  btd™(a,p). 
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Lemma  3  If  the  MTS  M  is  finitely  branching,  then  for  all  traces  a,  discount 
factors  a  £  (0, 1]  and  t  £  S,  we  have 


sup  inf 


btd™  (a,  p ) 


inf  sup  btd™(a,p). 

P£Tr(t)mEfi 


Proof.  Since  the  l.h.s.  is  trivially  smaller  than  or  equal  to  the  r.h.s.,  we  are 
left  to  prove  that  (l.h.s.)  >  (r.h.s.).  Specifically,  we  prove  that,  for  all  e  >  0, 
(r.h.s.)  <  (l.h.s.)  +  e.  Fix  e  >  0.  For  all  m  >  0,  there  exists  pm  £  Tr(t)  such 
that 

btd™(cr,  pm)  <  inf  btd™  (cr,  p)  +  e. 
p 6  Tr(t ) 

For  all  to  >  0,  let  be  the  prefix  of  pm  up  to  the  m  +  1-th  valuation.  The 
set  {yTO  |  to  >  0}  can  be  arranged  into  a  tree  that  is  a  subtree  of  the  unrolling 
of  t.  Since  this  tree  contains  infinitely  many  nodes  and  is  finitely  branching, 
by  Konig’s  lemma  it  must  contain  an  infinite  trace  p*  £  Tr(t).  The  trace  p* 
has  infinitely  many  prefixes  in  {qTO  |  to  >  0}.  Therefore,  there  is  an  increasing 
sequence  (im)m> o  such  that,  for  all  m  >  0,  7 is  a  prefix  of  p*.  It  follows  that 


(r.h.s.)  <  tda(a,p*)  =  lim  btd™ (a,  p* ) 

m 

=  lim  btd1™  (a,  p*) 

m 

<  lim  btd l™  (a,  7im ) 

m 

=  lim  btd1™  (a,  pim ) 

m 

<  lim  inf  btd1™  (a,  p)  +  e  =  (l.h.s.)  +  e.  □ 

m  pE  Tr(t) 

The  following  theorem  states  which  fragment  of  the  logic  is  necessary  to  char¬ 
acterize  each  linear  distance.  In  particular,  the  operator  O  is  never  needed.  To¬ 
gether  with  Theorem  4,  this  result  constitutes  a  full  characterization  of  linear 
distances  in  terms  of  Qltl. 


Theorem  5  If  an  MTS  M  =  (S,  t,  E,  [■])  is  finitely  branching,  then  for  all 
a  £  (0, 1]  and  s,t  £  S, 

ldl(s,t)=  sup  M(f)  -  MOO 

^eQLTLct\{D(r,c),0} 

id%(s,t)=  sup  IM0)  -  MOOI 

^6QLTLct\{D(r,c),0} 

ldsa(s,t)  =  sup  M0)  -  MO) 

^GQLTL^XtO} 

ld*a(s,t)=  sup  IM0)-M0)l 

<^GQltlq\{0} 

Proof.  By  Theorem  4,  we  only  need  to  prove  the  “<”  part  of  the  equalities.  We 
first  prove  the  statement  involving  Id For  sake  of  simplicity,  assume  S  =  {r}. 
Let  lda(s,t)  =  x,  we  show  that  for  all  e  >  0  there  is  a  formula  </?  such  that 


14 


MW“MOO  >  x~  e- Let  ct*  €  Tr(s)  be  apath  such  that  infpeTy(t)  tda(a*,p )  > 
x  —  e.  For  all  m  >  0,  we  set 

=  V  °ajD(K*](r)^); 

0<i<m 

where  stands  for  i  repetitions  of  the  operator  Oa.  Intuitively,  when  formula 
i pm  is  evaluated  on  a  trace  a',  it  measures  the  asymmetric  distance  between  a1 
and  a*,  up  to  the  m-th  step.  Obviously,  it  is  Mn](s)  =  0  for  all  m  >  0.  Then, 
the  value  of  <pm  on  a  state  s'  measures  the  distance  between  a*  and  the  trace  in 
Tr(s')  which  is  closest  to  it.  For  all  t  €  S,  it  holds  that 

sup  Mr.]  W  =  lim  Mr.]  W  =  lim  inf  ,  max  alD([a*]{r),  [/ Oi](r )) 

=  lim  inf  btd ™  (a* ,  p) 

m  peTr(t) 

=  inf  tda(a*,p)  by  Lemma  3 

pE  Tr(t) 

>  x  —  e. 

Consequently, 


sup  MW  -  M(s)  >  SUp[<y9TO]W  -  M«]0) 

V3€QLTLct\{£)(r,c)}  m€N 

=  SUp[<y9ra]W  -  0 

toGN 

>  x  —  e. 

The  statement  about  ld%  is  an  easy  consequence:  Assume  first  that  ld%(s,t)  = 
ldaa(s,t).  Then, 

id%(s,t)=  sup  MOO- MW  <  sup  IMOO-MWI- 

^eQLTLa\{£)(?-,c)}  ^eQLTLct\{£)(r,c)} 

If  instead  ld%(s,t)  =  ld„(t,s),  we  have 

ld%(s,t)=  sup  M(f)  “  MO)  <  SUP  IMOO-MO)I- 

ip£.QLTLa  \{D(r,c)}  <p£QLTLa  \{D(r,c)} 

We  now  consider  the  statement  about  ldsa.  The  proof  proceeds  similarly  to 
the  one  involving  using  as  distinguishing  formula  the  following. 

<Pm  =  V  OlaD([a*](r),r)  V  OzaD(r,[a*](r)). 

0  <i<m 

Finally,  the  statement  involving  ldsa  can  be  easily  obtained  from  the  proof 
that  ldsa(s,  t)  =  supveqLTL  MW- MO)  and  the  fact  that  ldsa(s,  t )  =  ldsa(s,  t ) 

The  next  example  shows  that  finitely  branching  is  necessary  for  Theorem  5 
to  hold. 
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□  □ 


51 


r  =  0 


Fig.  3.  An  MTS  exhibiting  the  language  0{0, 1}W;  the  single  predicate  is  evaluated  in 
the  metric  space  X®. 


Theorem  6  There  is  an  infinitely  branching  MTS  such  that 
ldsa(s,t)>  sup  MOO  “MO)- 

Proof.  Consider  the  system  in  Figure  3,  where  E  =  {r}.  Informally,  Tr(s)  = 
0{0, 1}".  Let  a  be  a  trace  such  that  {a}  is  not  a  regular  language  over  the 
alphabet  {0,1}  (it  would  be  sufficient  for  a  to  be  not  star-free  regular).  For 
instance,  let  a  —  01 001 0001 . . ..  Consider  a  second  system,  containing  a  state  t 
such  that  Tr(t)  =  Tr(s)\{a}.  Notice  that,  in  order  to  have  such  a  set  of  traces,  t 
must  be  infinitely  branching,  since  if  a  finitely  branching  tree  contains  all  prefixes 
of  an  infinite  path,  it  must  also  contain  the  path  itself.  We  have  ld\(s,t )  =  1. 
We  know  that  ordinary  Ltl  cannot  distinguish  s  from  t,  otherwise  there  would 
be  a  formula  if  £  Ltl  such  that  L(ip)  =  {a}.  We  argue  that  Qltl  is  also  unable 
to  distinguish  s  from  t.  To  prove  it,  we  have  to  show  that  discounting  does  not 
give  any  advantage.  □ 

3.4  Logical  characterization  via  logics  with  countably  many  symbols 

Above,  we  have  provided  a  logical  characterization  for  the  linear  distances  in 
terms  of  a  logic  that  contains  a  potentially  uncountable  set  of  constants:  in  gen¬ 
eral,  we  need  one  constant  for  each  element  of  a  metric  space  corresponding  to  a 
predicate.  Here,  we  show  how,  for  separable  MTSs,  we  can  provide  a  character¬ 
ization  in  terms  of  logics  with  countably  many  symbols.  First,  we  state  a  useful 
result,  namely,  that  the  logic  is  robust  with  respect  to  changes  in  the  constants 
occurring  in  the  formulas:  a  small  change  in  the  constants  causes  a  small  change 
in  the  value  of  the  formulas. 

Theorem  7  Consider  a  formula  <p  of  Qltl  containing  the  constants  Ci, ,  crl> 
belonging  respectively  to  the  metric  spaces  (q±,  d\), . . . ,  (qn,  dn).  Let  if  = 
ip[c[, . . .  ,c'n/ci, . . .  ,cn]  be  the  result  of  replacing  each  Ci  with  for  1  <  i  < 
n,  and  let  S  =  ma x"=1(dj(ci,c()  LI  dfic'^Ci))  be  the  maximal  distance  be¬ 
tween  the  new  and  old  value  of  each  constant.  Then,  for  all  s  €  S',  we  have 

I  MOO  -  MOO  I  <  #■ 

Proof.  The  result  follows  by  a  straightforward  structural  induction.  The  only 
interesting  case  is  the  one  for  D(r,a),  for  some  1  <  i  <  n;  in  this  case,  using 
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the  triangular  inequality  we  have 

\[D(r,Ci)](s)  -  [JD(r,c')](s)|  =  |d,;([s](r),  c)  -  di([s](r),c') \  <  dk{d ,c) ; 

the  case  for  D(ci,r)  is  similar.  □ 

From  the  robustness  of  the  logic  with  respect  to  the  constants,  it  follows  that 
if  an  MTS  is  separable,  we  can  obtain  a  logical  characterization  of  the  linear 
distances  in  terms  of  logics  that  consist  only  of  countably  many  symbols.  The 
idea,  essentially,  is  to  replace  each  constant  with  a  nearby  element  of  a  countable 
base  in  the  formulas  used  to  characterize  the  distances. 

Theorem  8  If  an  MTS  M  =  ( 5 ,  r,  E,  [•])  is  both  finitely  branching  and  separa¬ 
ble,  then  the  characterizations  provided  by  Theorem  5  hold  also  when  we  restrict 
the  formulas  of  Qltl  to  contain  only  constants  from  the  countable  set  Ure£ 
where  Br  is  a  countable  basis  for  the  metric  space  (Xr.  dr),  for  each  r  £  X. 

Proof.  The  result  follows  immediately  from  the  observation  that  by  Theorem  7 
the  value  of  a  formula,  at  every  state,  can  be  approximated  arbitrarily  closely 
by  the  value  of  a  formula  containing  only  constants  that  belong  to  the  countable 
bases  of  the  metric  spaces.  □ 

3.5  A  note  on  algorithmic  complexity 

The  following  section  describes  an  algorithm  that  takes  as  input  a  finite  MTS  M 
over  a  directed  metric  space  ( X ,  d).  and  computes  the  value  of  a  linear  distance 
between  all  pairs  of  states.  To  discuss  its  complexity,  we  need  to  fix  a  finite 
representation  for  the  input  data.  Considering  that  all  the  linear  distances  have 
as  starting  point  the  propositional  distance  pd,  it  is  sufficient  to  provide  as  input 
the  |S|  x  |S|  matrix  A  =  ( aSit)s,teS ,  where  asj  =  pd(s,t). 

We  assume  that  the  values  pd(s,t )  are  rational  numbers  encoded  in  fixed- 
precision  binary  representation;  we  denote  by  |x|&  the  number  of  bits  in  the 
encoding  of  the  rational  number  x.  We  define  the  size  of  a  finite  MTS  M  = 
(S,t,S,  [■])  by  \M\  =  J2s,tes  | pd(s,  t)\tj.  The  size  of  an  MTS  is  thus  quadratic  in 
|S|.  We  further  assume  that  arithmetic  operations  can  be  carried  out  in  constant 
time. 


3.6  Computing  the  linear  distance 

Given  as  inputs  a  finite  MTS  M  =  (S,  r,  E,  [•]),  a  discount  factor  a  £  (0, 1]  (the 
case  a  =  0  is  trivial),  and  x  £  {a,  s},  we  wish  to  compute  Jd“(so,to),  for  all 
So,  to  €  S. 

We  describe  the  computation  of  as  the  computation  of  ldsa  is  analogous. 
We  can  read  the  definition  of  Id “  as  a  two-player  game.  Player  1  chooses  a  path 
7r  =  S0S1S2  •  •  •  from  so;  Player  2  chooses  a  path  n'  =  tot±t2  ■  •  •  from  to;  the  goal 
of  Player  1  (resp.  Player  2)  is  to  maximize  (resp.  minimize)  supfc  akpd(n/s,  n'k). 
The  game  is  played  with  partial  information:  after  so  •  •  •  sn,  Player  1  must  choose 
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s„+i  without  knowledge5  of  to  ■  ■  ■  tn .  Such  a  game  can  be  solved  via  a  variation 
of  the  subset  construction  [16].  The  key  idea  is  to  associate  with  each  final  state 
sn  of  a  finite  path  so^i  ■  ■  ■  sn  chosen  by  Player  1,  all  final  states  tn  of  finite  paths 
tot i  •  ■  ■  tn  chosen  by  Player  2,  each  labeled  by  the  distance  v(so  ■  ■  ■  sn,  to  ■  ■  ■  tn)  = 
ma x0<k<n  ak~npd(sk,  tk). 

From  M,  we  construct  another  MTS  M'  =  (S',  t',  {r},  [■]'),  having  set  of 
states  S'  =  S  x  2SxD.  If  a  =  1  we  can  take  D  =  {pd(s,t)  \  s,t  £  51},  so  that 
|B|  <  l^l2.  For  a  £  (0, 1),  we  take  B  =  {pd(s,t)/ak  \  s,t  £  S Ak  £  NA pd(s,t)  < 
so  that  |B|  <  |S|2  •  [loga  min{pd(s,  t)  \  s,t  £  S  A  pd(s,t)  >  0}]  +  1. 
The  transition  relation  r'  consists  of  all  pairs  ({s,  C),  {s',  C '))  such  that  s'  £  t(s) 
and  C'  =  {{ t v')  |  3  (t,  v)  e  C  .t'  e  r(t)  A  v'  =  (v/a  U  pd(s',  t '))  n  1}.  Note  that 
only  Player  1  has  a  choice  of  moves  in  this  game,  since  the  moves  of  Player  2 
are  accounted  for  by  the  subset  construction.  Finally,  the  interpretation  [•]'  is 
given  by  [(s,C)]'(r)  =  min{u  |  (t,v)  £  C},  so  that  r  indicates  the  minimum 
distance  achievable  by  Player  2  while  trying  to  match  a  path  to  {s,  C)  chosen 
by  Player  1.  The  goal  of  the  game,  for  Player  1,  consists  in  reaching  a  state  of 
M'  with  the  highest  possible  (discounted)  value  or  r.  Thus,  for  all  s,t  £  S,  we 
have  ld%(s,  t)  =  pOaf]M'  {{s,  {{t,pd(s,  f))})),  where  the  right-hand  side  is  to  be 
computed  on  M'.  This  expression  can  be  evaluated  by  a  depth-first  traversal  of 
the  state  space  of  M’ .  noting  that  no  state  of  M'  needs  to  be  visited  twice,  as 
subsequent  visits  do  not  increase  the  value  of  Oar.  This  leads  to  the  following 
complexity  result. 

Theorem  9  For  all  x  £  {a,  s},  the  following  assertions  hold: 

1.  Computing  Id xa  fora  £  (0, 1]  and  MTS  M  is  P  SPACE-  complete  in  |M|-f|a:|&. 

2.  Computing  ldxa  for  a  £  (0,1]  and  deterministic  MTS  M  is  PSP  ACE- 
complete  in  \M\  +  |a|{,. 

3.  Computing  Id ®  for  a  £  (0, 1]  and  boolean,  deterministic  MTS  M  is  in  time 

0(|M|4). 


Proof.  For  Part  1,  the  upper  complexity  bound  comes  from  the  above  algorithm, 
noticing  that  the  subset  construction  can  be  done  on  the  fly;  the  lower  bound 
comes  from  a  reduction  from  the  corresponding  result  for  trace  inclusion  [17]. 

Part  2  states  that,  unlike  in  the  boolean  case,  the  problem  remains  PSPACE- 
complete  even  for  deterministic  MTSs.  This  result  is  proved  by  an  nlogspace 
reduction  from  the  problem  of  computing  the  distance  between  nondeterministic 
systems  to  the  one  of  computing  it  between  deterministic  ones.  More  precisely, 
let  M  be  a  nondeterministic  MTS  and  let  to  be  the  number  of  bits  needed  to 
represent  each  quantity  in  M .  Assume  that  a  is  also  encoded  as  a  fixed-precision 
number  of  to  bits.  Then,  from  an  analysis  of  the  algorithm,  we  see  that  the 
minimum  difference  between  two  possible  answers  returned  by  the  algorithm 
is  a  number  with  (n  +  l)m  bits,  where  n  =  |S|.  This  is  essentially  an  times 
the  least  difference  of  value  among  two  non-equal  valuations.  We  then  build  a 

5  Indeed,  if  the  game  were  played  with  total  information,  we  would  obtain  the  branch¬ 
ing  distances  of  the  next  section. 
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deterministic  MTS  M' ,  by  copying  every  valuation  and  padding  it  to  (n+l)m  +  l 
bits,  thus  using  log2  |5|  additional  bits  to  uniquely  identify  each  state  of  5.  Once 
the  algorithm  returns  an  answer  for  the  deterministic  system,  the  answer  for  the 
original  nondeterministic  one  can  be  recovered  by  rounding  to  (n  +  l)m  bits  of 
precision. 

Part  3  is  a  consequence  of  Theorems  17  and  18.  □ 


3.7  Discussion 

In  Definition  10,  we  could  have  defined  the  propositional  distance  between  two 
states  using  the  L2  norm,  via  pd(u,  v)  =  (J]rg£  d(u(r),v(r))2)  (or  in  general 
using  the  Ln  norm,  for  n  >  0).  The  reason  why  in  Definition  10  we  chose  the 
norm  is  that  this  definition  leads  to  a  logical  characterization  of  the  distances, 
since  the  max  in  the  norm  corresponds  to  the  V  of  the  logics.  It  is  easy  to 
see  that,  aside  from  the  logical  characterizations,  the  results  of  the  paper  would 
hold  if  we  replaced  in  Definition  10  the  Lx  norm  with  Ln.  for  any  n  >  0. 

4  Branching  Distances  and  Logics 

4.1  Branching  distances 

Definition  13  (branching  distances)  For  a  £  (0, 1]  and  x  £ 

{Aa,  As,  Sa,  Ss),  consider  the  four  operators  Hx  :  (S2  — >  IR+)  — »  (S2  ->  1R+) 

defined  as  follows,  for  d  :  S2  -»  K+: 

H^a(d)(s,t)  =  pd(s,t)  U  a  ■  sup  inf  d(s',t') 

s'  Et(s)  Ct  (i) 

H^s(d)(s,t)  =  pd(s,t)  U  a  ■  sup  inf  d(s',t') 

s'  ET(spf  e.T(t) 

H^a(d)(s,t)  =  pd(s,t)  U  a  ■  sup  inf  d(s',  t')  U  a  ■  sup  inf  d(s',t') 

s'er(s)J'er(<)  t/er(t)s'er(s) 

17®s(d)(s,  t)  =  pd(s,  t)  U  a  ■  sup  inf  d(s' ,t')  U  a  ■  sup  inf  d(s',t') 

«'er(»)*'er(f)  fi  £T  s' Et  (s) 

For  x  €  {Aa,  As,  Sa,  Ss},  we  define  the  branching  distance  as  the  least  fix- 
points  of  the  operators  Hx.  □ 

For  all  a  €  (0,11,  the  functions  M^a,  bd^s,  and  M®a  are  directed  metrics,  and 
the  functions  M^a,  M„s,  and  6d®a  are  undirected  metrics. 

The  distance  is  a  quantitative  generalization  of  bisimulation,  and  it 
essentially  coincides  with  the  metrics  of  [7,18,4];  as  it  is  already  symmetrical, 
we  have  bd^  =  bd ®s.  Similarly,  the  distance  bd^s  generalizes  simulation,  and 
bd^s  generalizes  mutual  simulation. 

Theorem  10  For  all  MTSs  ( S,t ,  S,  [•])  where  dr  is  a  directed  distance  for  all 
r  £  S,  and  for  all  a  £  (0, 1],  we  have  <sim  =  Zero  (Mf)  and  =  Zero  (M®s). 
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The  distances  bd ?  and  bdSa  correspond  to  quantitative  notions  of  simulation 
and  bisimulation  with  respect  to  the  asymmetrical  propositional  distance  pd; 
these  distances  are  not  symmetrical,  and  we  indicate  their  symmetrical  versions 
by  bd^a  and  bd?.  Just  as  in  the  boolean  case  mutual  similarity  is  not  equivalent 
to  bisimulation,  so  in  our  quantitative  setting  bd?  can  be  strictly  smaller  than 
M®s,  and  bd„a  can  be  strictly  smaller  than  M®a. 

Theorem  11  The  relations  in  Figure  5(b)  hold  for  all  MTS  and  for  all  a  £ 
(0, 1].  For  a  £  (0, 1],  no  other  inequalities  hold  on  all  MTSs. 

Proof.  The  inequalities  bd?  <  bdSa  <  bdsas  and  bd?  <  bd?  <  bdsJ  shown  in 
the  figure  are  immediate.  Let  a  £  (0, 1]  and  consider  the  MTS  in  Figure  5(a) 
again.  In  this  MTS,  we  have  Wa  =  bdaa,  ldsa  =  bd?,  ldft  =  bd? .  lcFa  =  bd? 
Hence,  the  results  for  the  linear  distances  (see  Theorem  2)  show  that  bd? 
bd^s,  bd?  /  Msaa,  bd?  £  M®s,  bdsaa  £  bdsaa,  and  neither  bd?  <  bd?  nor 

bd?  >  bd?.  □ 

The  branching  distances,  like  the  linear  ones,  are  robust  with  respect  to  per¬ 
turbations  in  the  state  valuations:  small  changes  in  the  proposition  valuations 
cause  small  changes  in  the  distances.  To  state  the  theorem,  given  a  state  valu¬ 
ation  /  :  S  — >  U\E],  x  £  {Aa,  As,  Sa,  Ss},  and  a  £  (0, 1],  we  write  bdja  for  the 
distances  defined  as  in  Definition  13,  using  /  as  the  state  valuation. 

Theorem  12  (branching  distance  robustness)  For  all  a  £  (0, 1],  all  x  £ 

{As,  Sa,  Ss),  all  predicate  valuations  [-]i,  [-]2,  and  all  s,t  £  S,  we  have 

bd£]ua{s,t).  -  bd^  a(s,  t)  <  d([-]i,[-]2)  +  d([-]2,  [-]i) 
|Mf]liQ(S,t)-Mf.]2,a(S,t)|<2-d([-]i,[-]2). 


4.2  Quantitative  jz-calculus 

We  define  quantitative  /i-calculus  after  [5,4].  Given  a  set  of  variables  X  and  a 
set  of  propositions  X,  the  formulas  of  the  quantitative  p-calculus  are  generated 
by  the  grammar: 

i p  ::=  D(r,  c)  |  D(c,  r )  \  x  \  p>  /\  p>  \  p>\/  p>  \  30  a<p  \  VOa<p  \  fix  .  ip  \  vx  .  ip 

for  propositions  r  £  X,  variables  x  £  X,  constants  c  £  U teapot,  and  discount 
factors  a  £  (0,1].  We  assume  that,  in  a  term  of  the  form  D(r,c )  or  D(c,r), 
we  have  c  £  Xr.  Denoting  by  T  =  (S  — »  K+),  a  (variable)  interpretation  is  a 
function  £  :  X  — >  T.  Given  an  interpretation  £.  a  variable  x  £  X  and  a  function 
/  £  X,  we  denote  by  £[x  :=  /]  the  interpretation  £'  such  that  £'(x)  =  /  and,  for 
all  y  x,  £'{y)  =  £{y).  Given  an  MTS  and  an  interpretation  £,  every  formula 
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tp  of  the  quantitative  /<-calculus  defines  a  valuation  \<p\s  :  5  -»  IEt+: 

[D(r,c)js(s)  =  d([s](r),c)  pO«p]£(s)  =  a  ■  sups,er(s)I^]f  (s') 

[D(c,r)]s(s)  =  d(c,  [s](r))  [VOQ^]f(s)  =  a  •  infs,e^(s) 

[x\e  =£{%)  [ Mx.cpjs  =mf{f  £  F  \  f  =lv}£[x:=f]} 

[¥>1  A  ^2]f  =  bl]f  n  y2\£  Ivx.ipjs  =  sup{/  €  T  I  /  =  [¥>]£[*:  =  /]}. 

V  p>2\s  =  [<Pl  j£  U  [ ip2\s 

The  existence  of  the  required  fixpoints  is  guaranteed  by  the  monotonicity  and 
continuity  of  all  operators.  A  variable  x  is  bound  in  ip  if  it  is  in  the  scope  of 
a  quantifier  /ax  or  nx;  otherwise,  it  is  called  free.  A  formula  is  closed  if  all 
variables  are  bound.  If  ip  is  closed,  we  write  [yj]  for  \<p\e.  For  all  a  £  (0,1], 
we  call  QMUa  the  set  of  quantitative  yu-calculus  formulas  where  all  discount 
factors  are  smaller  than  or  equal  to  a.  We  denote  by  CLQMUa  the  subset  of 
QMUa  containing  only  closed  formulas.  For  ops  C  {D(c,  r),  D(r,  c),  3,  V,  p,  v}, 
we  denote  by  QMUa  \  ops  and  CLQMUa  \  ops  the  respective  subsets  of  formulas 
that  do  not  employ  operators  in  ops.  Notice  that,  if  we  take  all  discount  factors 
to  be  1,  then  the  semantics  of  the  quantitative  /<-calculus  on  boolean  systems 
coincides  with  the  one  of  the  classical  /i-calculus. 

4.3  Logical  characterizations  of  branching  distances 

In  the  following  theorem,  we  write  ip{x i, . . . ,  xn)  to  signify  that  the  free  variables 
in  ip  are  among  X\ , . . . ,  xn. 

Lemma  4  Given  an  MTS  (S,  t,  S,  [■])  and  a  discount  factor  a  £  (0,1],  the 
following  holds. 

1.  For  all  tp(xi, . . . ,  xn)  €  QMUa  \  {3,  D(r,  c)},  for  all  variable  environments 
S,  and  for  all  /i, . . . ,  /„  €  T ,  if  for  all  s,t  £  S  and  all  i  =  1,,*. . ,  n,  fi(t )  — 
fi(s)  <  bd^a(s,t),  then,  for  all  s,t  £  S, 

IMU[: Xi-.=fi](t)  -  M%*’:=/i](s)  <  M„a(s,t). 

2.  For  all  ip(x i, . . . ,  xn)  £  QMUa  \  {3},  and  for  all  fi, . . . ,  /„  £  T ,  if  for  all 
s,t  £  S  and  all  i  =  1, . . .  ,n,  fi(t )  —  fi(s)  <  bd^s(s,t),  then,  for  all  s,t  £  S, 

lF}£[xi:=fi](t)  -  Vp\e [Xi-.=fi](s)  <  bd^S(s,t). 

3.  For  all  ip(x±, . . .  ,xn)  £  QMUa  \  {D(r,  c)},  and  for  all  /i,...,/„  £  T,  if 

for  all  s,t  £  S  and  alii  =  1  fi(t)  —  fi(s)  <  M®a(s,t),  then,  for  all 

s,t  £  S , 

Mft^/d  (t)  -  Vph[xv=ii]{s)  <  M®a(M)- 
4-  For  all  ip(x\, . . . ,  xn)  £  Qmuq,  and  for  all  f\,...,fn  £  T ,  if  for  all  s,t  £  S 
and  all  i  =  1, . . .  ,n,  \fi(t)  —  fi(s)\  <  M®s(s,  t),  then,  for  all  s,t  £  S, 

I ~  M£[®i:=/i](s)l  <  bdsas{s,t). 

Proof.  We  prove  statements  1  and  3;  the  other  two  statements  can  be  proved  in 
similar  fashion. 
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Statement  1.  We  prove  the  result  concerning  bdAa  by  structural  induction  on 
the  formula.  For  p  =  D(c,r),  we  obtain  by  triangle  inequality  [y>](f)  —  [</?]( s)  = 
d(c,  [f](r))  -  d(c,  [s](r))  <  d{[s]{r),  [ t\(r ))  <  pd(s,t)  <  bdAa(s,t). 

The  cases  p  =  x,  p  =  p\  A  pi  and  tp  =  p-y\/  pi  are  also  trivial. 

Consider  the  case  p  =  VO  pip,  for  some  ft  <  a:  we  prove  that,  for  all  states 
s,t  £  S  and  all  e  >  0,  —  [y>](s)  <  bdAa(s,t)  +  e.  For  ease  of  notation,  in 

this  part  of  the  proof  we  write  [•]  for  [-Je[a!i:=/i],  as  the  variable  interpretation 
is  not  the  issue  here.  Recall  that,  for  all  t  £  S,  we  have  by  definition  [y>]  (t)  = 
/3inft/g T-(t) H'0] (^/),  By  inductive  hypothesis,  for  all  s',t'  £  S,  [V’KO  —  [V’]^)  < 
bdAa(s' ,t').  For  all  s*  £  t(s)  and  S  >  0,  we  define  closer (t,  s* ,6)  to  contain  all 
states  t*  £  r(t)  such  that  bdAa(s*,t*)  <  6  +  mitJeT^bdAa(s*,t').  Intuitively, 
closer(t,s*  ,S)  contains  those  successors  of  t  that  are  closer  than  <5  to  the  best 
match  for  s* .  For  all  s*  £  t(s)  and  t*  £  closer (t,  s* ,6),  we  have  that 

a-(M(n- MKO)  <a-bd£a(s*,t*) 

<a-(  inf  bdAa(s*,t')+s) 

<ol-(  sup  inf  bdAa{s' ,t')  +  6] 

's,Gr(s)  ' 

<a5+  bdAa(s,  t).  (§) 

Finally,  let  s*  £  t(s )  be  such  that  [V’Ks*)  <  infs/er(s)[^](s')  +  ^  and  t*  £ 
closer  (t,  s* ,  ^),  we  have 

M(t)  -  M(s)  =  /3  inf  M(f')  -  P  ,inf  M(s') 

V  €.r(t)  s'  €t(s) 

<  a(li>W)  -  M(s*)  +  (f) 

<  |  +a( M(0  -  M(O) 

<  |  |  +  bd?(8,t).  (t) 

To  obtain  (f),  we  have  used  [)/,’] (C)  >  inf't/6r(tj[i/)](t')  and  our  choice  of  s*;  to 
obtain  (J),  we  have  used  t*  £  closer(t,  s*,  Wjj),  along  with  the  previous  result  (§). 
This  concludes  this  case. 

If  p  =  py  .  ip,  then  [y>]  =  lim ngn,  where  go(s)  =  0  for  all  s  £  S,  and 
9n+i  —  M E[y.=gny  This  is  a  consequence  of  the  fact  that,  when  the  MTS  is 
finitely  branching,  all  operators  of  the  /<-calculus  are  continuous:  that  is,  for  each 
operator  F  £  {A,  V,  30,  Vo}  and  each  sequence  gnn>o  °f  functions  S 2  -»  IR+,  we 
have  F(\imn  gn)  =  lim„  F(gn).  Since  g0(t)  -  g0{s )  =  0  <  bdAa(s,  t),  by  inductive 
hypothesis  we  obtain  that,  for  all  n  £  N,  gn(t)  —gn(s)  <  bdAa(s,t),  and  thus  the 
thesis.  By  taking  g0(s )  =  oo  for  all  s  £  S,  we  obtain  the  argument  for  p  =  vy  .ip. 

Statement  3.  The  cases  p  =  r,  p  =  x,  p  =  ipi  A  V>2  and  p  =  ipi  V  %p2  are  trivial, 
while  the  proofs  for  p  =  VO pij),  p  =  py .  ip  and  p  =  vy  .ip  are  similar  to  the  ones 
of  Part  1. 
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Let  p>  =  30 pip,  for  some  j3  <  a.  We  prove  that,  for  all  states  s,t  £  S  and 
all  e  >  0,  [y](t)  —  [#>](«)  <  M®a(s,t)  +  e.  For  ease  of  notation,  we  again  write 
[•]  for  [•>[*(.£-/<]•  By  inductive  hypothesis,  for  all  s',t'  £  S,  -  M(s')  < 

bdSaa(s',t'). 

For  all  s*  £  t(s)  and  6  >  0,  we  define  closer(s,t*  ,6)  to  contain  all  states 
s*  £  r(t)  such  that  bdSa(s*,t*)  <  <J  +  infs<gr(g)  M®a(s',t*).  Again,  closer (s,t* ,6) 
contains  those  successors  of  s  that  are  closer  than  6  to  the  best  match  for  t* .  For 
all  £  r(t)  ands*  £  closer(s,  t*,  6),  we  have  that  a-M®a(s*,  t*)  <  aS+bd^a(s,t), 
and  thus 

a-(im*)-M(s*))<a-bdla(s*,t*) 

<  ad  +  M®a(s,t).  (§§) 

There  are  now  three  cases. 

1.  If  [yj](t)  =  /3supi,er(t)[,0](t')  <  oo,  then  let  t*  £  r(t)  be  such  that  [y’](f*)  > 
suPt'eT(t)[V'](^)  _  5^  and  s*  £  closer(s,t*,  ^).  We  have 

l#)-M(s)=^  sup  bPj{t')-P  sup  M(s') 

t'er(t)  s'£r(s) 

<a(M(0  +  ^-M(0) 
<§+a(M(0-M(0) 

-  2  +  2  + 

leading  to  the  desired  result. 

2.  If  [y?](t)  =  oo  and  bd^a(s,t)  =  oo,  then  we  are  done. 

3.  If  [y>]  (t)  =  oo  and  bd„  (s,  t )  <  oo,  then  for  every  c  £  IR,  we  can  find  t*  £  r(t) 
such  that  |V*](t*)  >  c.  From  (§§),  we  can  thus  find  s*  £  closer(s,t* ,  1)  such 
that 


a(c  -  1)  -  bdsaa(s,t)  <  a[fl(f)  -  a  -  bdsaa(s,t)  <  [V’KO- 

From  [yj](s)  =  ft  sups,gr(s)[V’](s')  >  M(s*)>  since  bd^a(s,t)  <  oo  and  since 
c  is  arbitrary,  we  obtain  |y>](s)  =  oo  =  [y?](t),  concluding  the  proof.  □ 

From  the  preceding  lemma,  we  immediately  obtain  a  theorem  stating  that  the 
branching  distances  provide  bounds  for  the  corresponding  fragments  of  the  p- 
calculus.  The  statement  for  is  very  similar  to  a  result  in  [7]. 


Theorem  13  For  all  MTSs  (S,  r,  E,  [■]),  states  s,t  £  S,  and  a  £  (0,1],  we 
have 


for  all  i p  £  CLQMUa  \  {3,  D(r,  c)} 
for  all  <p  £  CLQMUa  \  {3} 
for  all  (p  £  ClQmu^  \  {D(r,  c)} 
for  all  p  £  CLQMUa 


bd^a{s,t)  >  lp>j{t)  -  M(s) 
bd^s{s,t)  >  | p>j{t)  -  M(s) 
bdsaa{s,t )  >  l(p](t)  -  M(s) 

MSas(M)>IM(f)-[*)l 
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As  noted  before,  each  bound  of  the  form  d(s,t)  >  [93] (t)  —  [92] (s)  trivially  leads 
to  a  bound  of  the  form  d(s,t )  >  |[<^](t)  —  [y?](s)|.  The  bounds  are  tight  for 
finitely  branching  systems,  and  the  following  theorem  identifies  which  fragments 
of  quantitative  yu-calculus  suffice  for  characterizing  each  branching  distance.  The 
formula  scheme  used  to  characterize  is  reminiscent  of  the  one  used  in  [1]  for 
bisimulation. 

Theorem  14  For  all  finitely  branching  MTSs  ( S ,  r,  S,  [■]),  states  s,t  £  S,  and 
a  €  (0, 1],  we  have 

bd^a{s,t)  =  sup^eCLQMUaU3jjD(7,  M(f)  -  M(s), 

t)  =  supv€CLQMU^{3iftil/}  M(f)  -  MOO, 

bdsaa(s,t)  =  sup ¥,6CLQWa\{D(7.,c),M,1,}  M(t)  -  MOO, 

bdsa*(s,t)  =  supv(iChQuvA{ll'V}  MO)  -  MOO- 

Proof. 

Part  1.  Consider  the  statement  about  M^a.  For  all  s  €  S',  we  define  the  sequence 
of  formulas  M)fc>o  as  follows. 

rex: 

rf+1=rfv  V  VO 

s'  Gr(s) 

First,  one  can  easily  prove  by  induction  that,  for  all  k  £  N  and  s  £  S,  |M](s)  =  0. 
The  distance  M^a  is  defined  as  the  least  fixpoint  of  H^a.  Denoting  by  (H^a)k  a 
sequence  of  k  applications  of  J?£a,  since  the  MTS  is  finitely  branching,  we  have 
that  bd^a  =  lim k(H^a)k(pd).  We  prove  by  induction  on  k  that,  for  all  s,t  €  S, 
ykm  =  (H^)k(pd)(s,t). 

MW=ma xd([s](r)Mr)) 

rex 

=  pd(s,  t)  =  (f?«a)°(pd)(s,t); 


m+1ko  =  mio)  u 


max  min  alipk,}(t') 

s'£r(s)t'£r(i)  S 


=  pd(s,t)  U  max  min  a  ■  (H^a)k(pd)(s' ,t') 
s'eT(s)  V  6t(£) 


=  (H^)k+1(Pd)(s,t). 


It  follows  that 


sup  MO)  -  M(s)  >  sup  M]0)  -  M]0) 

<^GCLQMUa\{3,Z>(r,c),jU,i^}  ke  N 

—  sup  {H^)k(pd)(s,t)  -  0 
ken 

=  bdaa(s,t). 
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Part  2.  To  prove  the  statement  concerning  bd^s(s,t),  we  define  the  following 
sequence  of  formulas  (M)fceN- 

=  V  VjD(r>W(r))> 

reu 

^+1=<^V  V  voa¥>*. 

s'  Gr(s) 

We  then  proceed  similarly  to  the  previous  part. 

Part  3.  To  prove  the  bound  on  M®a(s,f),  we  use  the  formulas: 

v°s  =  V 

reu 

d+1  =  ^  V  V  voa¥,*  v3oa(  /\  rf). 

s'Gr(s)  s'Gr(s) 

Once  again,  one  can  easily  prove  by  induction  that,  for  all  k  £  N  and  s  £ 
S,  [¥>*](«)  =  0.  The  distance  M®a  is  defined  as  the  least  fixpoint  of  H®a.  In 
particular,  denoting  by  (H^a)k  a  sequence  of  k  applications  of  H^a,  again  due 
to  the  fact  that  the  MTS  is  finitely  branching  we  have  bdSa  =  lim k(H^a)k(pd). 
We  prove  by  induction  on  k  that,  for  all  s,t  £  5,  M](f)  =  (H^a)k(pd)(s,t). 

Mi)  =  max  (d([s](r),  [t](r))  U  d([t](r),  [«](r))) 

r£.2j 

=  pd(s,  t)  =  (H^a)°(pd)(s,t); 


b*+1]W  =  [¥>?](*)  LJ 


max  min  alipk,}(t')  LI  max  min  a\tpk,\(t') 

S'er(s)t’er(t)  1  SJIV  '  f'er(t)s'er(s)  r  SJIV  ' 


=  pd(s,t)Ua  max  min  (H^a)k(pd)(sl ,  t') 

«'Gr(«)  t'er(t) 


u«  max  min  (Hla)k(pd) (s',  t1) 

t '  <=.r(t)  s'  Gr(s ) 


=  0O*+1(pd)(M). 


It  follows  that 


sup  MW  -  M(s)  >  sup  M]W  -  M](s) 

<pECLQMUa\{i^(r,c),jU,i/}  fcEN 

=  sup(I?®a)fc(pd)(s,t)  -0 
fceN 

=  bdsaa(s,t). 


Part  4-  To  prove  the  bound  on  bd^(s,t),  we  use  the  formulas: 

\J  D([s](r),r)\/D(r,[s](r)), 


Vs+1  =^V  \J  VO  a<pk,  V  30a  (  f\  (pk8,  V 

s'Sr(s)  '  ' 


s'  Et(s) 
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We  then  proceed  similarly  to  the  previous  parts. 


□ 


4.4  Logical  characterization  via  logics  with  countably  many  symbols 

Again,  the  logical  characterization  above  is  in  terms  of  formulas  defined  over  a 
potentially  uncountable  set  of  constants:  in  general,  we  need  one  constant  for 
each  element  of  a  metric  space  corresponding  to  a  predicate.  As  in  the  linear 
case,  we  show  that  if  the  MTS  is  separable,  then  it  suffices  to  consider  formulas 
defined  over  the  countable  set  of  constants  corresponding  to  the  countable  bases 
of  the  metric  spaces  for  the  various  predicates.  We  start  once  more  with  a  result 
that  expresses  the  robustness  of  the  calculus  with  respect  to  changes  in  the 
valuation  of  the  constants. 

Theorem  15  Consider  a  formula  < p  of  the  quantitative  p- calculus  con¬ 
taining  the  constants  ci,...,cn,  belonging  respectively  to  the  metric  spaces 
(</i,di), . . . ,  ( qn,dn ).  Let  if  =  ^[c^, . . .  ,c'n/ci, ... . ,  c„  be  the  result  of  replacing 
each  ci  with  c\,  for  1  <  i  <  n,  and  let  S  =  ma x"=1(d,(cj,cj)  U  dj(c'-,  c*))  be  the 
maximal  distance  between  the  new  and  old  value  of  each  constant.  Then,  for  all 
s  £  S  and  all  variable  environments  8,  we  have  |  [</?]£  (s)  —  [[wjf  (s)  |  <  S. 

Proof  The  result  is  obtained  by  a  straightforward  induction  on  the  structure  of 
the  formula;  the  only  interesting  case  is  the  base  case  for  D,  which  is  proved  as 
in  the  proof  of  Theorem  7.  □ 

Again,  for  separable  MTSs  this  result  leads  to  logical  characterizations  based 
on  languages  with  countable  sets  of  constants,  corresponding  to  the  bases  of  the 
metric  spaces. 

Theorem  16  If  an  MTS  M  =  (5,  r,  S,  [•])  is  both  finitely  branching  and  sep¬ 
arable,  then  the  characterizations  provided  by  Theorem  14  hold  also  when  we 
restrict  the  formulas  of  quantitative  p-calculus  to  contain  only  constants  from 
the  countable  set  \JreEBr,  where  Br  is  a  countable  basis  for  the  metric  space 
( Xr ,  dr),  for  each  r  £  S. 

Proof.  Similarly  to  the  linear  case,  the  result  follows  from  the  observation  that 
by  Theorem  15  the  value  of  a  formula,  at  every  state,  can  be  approximated 
arbitrarily  closely  by  the  value  of  a  formula  containing  only  constants  that  belong 
to  the  countable  bases  of  the  metric  spaces.  □ 

4.5  Computing  the  branching  distances 

Given  a  finite  MTS  M  =  (S,  t,  E,  [■])  a  rational  number  a  £  (0,1],  and  x  £ 
{Ss, Sa,  As,  Aa},  we  can  compute  bd^(s,t)  for  all  states  s,t  £  S  by  computing 
in  an  iterative  fashion  the  fixpoints  of  Definition  13.  For  instance,  can  be 
computed  by  letting  d°(s,t)  =  0  for  all  s,t  £  S  and,  for  k  £  IN,  by  letting 
dk+1(s,t )  =  pd(s,t )  LI  a  •  maxs;€r(s)  min dk(s' ,t'),  for  all  s,t  £  S.  Then 
fid®  =  lirn^oo  and  it  can  be  shown  that  this  and  the  other  computations 
terminate  in  at  most  |S|2  iterations.  This  gives  the  following  complexity  result. 
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Fig.  4.  Linear  versus  branching  distances  on  a  deterministic  MTS. 
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Ida 

t\  /t 

/  t  \  /t 

bdaS  bdfC  bdsa& 

ldsa  bd%s  bd £a  bd^ 

\\ / 

t  X_  X  t  X 

bd £a 

Ida  Ida  bda& 

X  t  X 

ld% 

(a)  Linear  distances. 

(b)  Branching  distances. 

(c)  All  distances. 

Fig.  5.  Relations  between  distances,  where  /  — >  g  means  /  <  g.  In  (c),  the  dotted 
arrows  collapse  to  equality  for  boolean,  deterministic  MTSs. 


Theorem  17  Computing  bdxa  for  x  £  {Ss,  Sa,  As,  Aa},  a  £  (0, 1]  and  an  MTS 
M  can  be  done  in  time  0(|M|4). 


5  Comparing  the  Linear  and  Branching  Distances 

Last,  we  provide  a  comparison  between  linear  and  branching  distances.  Just  as 
similarity  implies  trace  inclusion,  we  have  both  Ma  <  M^a  and  ldsa  <  bd^s;  just 
as  bisimilarity  implies  trace  equivalence,  we  have  ldsa  <  bd^f  and  Zda  <  6<Z®a. 
Moreover,  in  the  non-quantitative  setting,  trace  inclusion  (resp.  trace  equiva¬ 
lence)  coincides  with  (bi-) similarity  on  deterministic  systems.  This  result  gener¬ 
alizes  to  distances  over  MTSs  that  are  both  deterministic  and  boolean,  but  not 
to  distances  over  MTSs  that  are  just  deterministic.  To  formalize  these  results, 
we  say  that  an  MTS  is  boolean  if  all  its  predicates  are  evaluated  in  the  metric 
space  Xb- 

Theorem  18  The  following  properties  hold. 


27 


1.  For  all  MTSs  and  all  a  £  (0, 1],  we  have 

ldl<bdta  ld*a<Mt*  Vdaa<Wa  K<bdsa». 

Moreover,  for  a  £  (0, 1],  the  inequalities  cannot  be  replaced  by  equalities. 

2.  For  all  boolean,  deterministic  MTSs  and  for  all  a  £  (0, 1],  we  have 

K  =  bdta  Idl  =  bdts  K=bdta  Tdsa  =  bdts. 

These  equalities  need  not  to  hold  for  non-boolean,  deterministic  MTSs. 

The  relations  of  Part  1  are  illustrated  in  Figure  5(c). 

In  order  to  prove  this  theorem,  we  proceed  in  steps.  First,  we  provide 
a  relation  between  the  fixpoints  of  the  operators  used  to  define  linear  and 
branching  distances.  For  a  £  (0, 1]  and  x  £  {a,  s},  we  define  the  operators 
Fx,Fxa  :  ( S 2  ->  R+)  ->  (S2  ->  H+)  as  follows,  for  d  :  S2  ->  IR+: 

Fa(d)(s,  t)  =  pd(s,  t)  U  sup  inf  sup  ald{ai,  pf) 

aEPaths(s)  pEPaths(t) 

F*a{d)(s,t)  =pd{s,t)  U  sup  inf  sup  ald{ai,pi) 

aEPaths(s)  PEPaths(t) 

Fa{d)(s,t)  =  pd(s,t)  U  sup  inf  sup  ald(ai,  pi) 

aEPaths(s)  PEPaths(t)  ^p^ 

U  sup  inf  sup  ald(pi,ai) 

pEPaths(t)<r£Paths(s)  iEN 

Fsa(d)(s,t)  =  pd(s,t)  U  sup  inf  sup  a*d(<7,,  pi) 

aEPaths(s)  pEPaths(t)  ^p^ 

LI  sup  inf  sup  ald{pi,(Ji). 

pEPaths(t )  &EPaths(s)  ^p^ 

These  operators  should  be  compared  with  the  fixpoint  operators  used  in  Defi¬ 
nition  13  to  define  the  branching  distances.  Essentially,  the  operators  Fx  above 
share  the  same  structure  of  the  operators  Hx ,  except  that  Fx  looks  at  the  infi¬ 
nite  paths  originating  from  states,  whereas  Hx  looks  just  at  the  successor  states. 
The  following  lemma  follows  immediately  from  the  definitions. 

Lemma  5  Denoting  by  0  :  A (s,  t). 0  the  zero  function  S2  IR+ .  For  a  £  (0, 1] 
and  x  £  {a,  s};  we  have: 

K  =  F*(F*(  0)) 

K  =  K(K(  o)) 

=  K(nm 

ld°a  =  F%(F%(  0)). 

For  a  £  (0, 1]  denote  the  least  fixpoints  of  these  operators  by: 

fdta  =  inf{d  :  S2  ->  M+  |  d  =  Fa(d)} 
fdts  =  mf{d  :  S2  -+  M+  |  d  =  F*a(d)} 
fdsaa=ini{d:S2  ^M+\d  =  Faa(d)} 
fdS:=mi{d:S2^M+\d  =  K(d)} 
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(where  we  have  preferred  to  avoid  the  /x-notation  for  least  fixpoints  not  to  gen¬ 
erate  confusion  with  /i-calculus  over  MTSs).  The  following  lemma  states  that 
these  fixpoints  are  branching  distances. 

Lemma  6  For  all  a  €  (0, 1],  we  have  that 

fdta  =  hdta 
fdtS  =  bdt* 

fdsaa=fdi*  =  bds:. 

Proof.  Let  a  €  (0, 1].  We  show  that  fd^a  =  M„a;  the  other  cases  are  similar. 
First,  note  that  the  operator  H^a  used  in  Definition  13  to  define  the  branching 
distances  can  be  equivalently  replaced  by  the  following  operator  G  :  (S2  -> 
B+)  ->  (S2  ->  H+)  by 

G(d)(s,t)  =  pd(s,t)  U  d(s,t)  U  sup  inf  a-d(s',t'). 

s'  Gr(s) 

For  convenience,  let  also  F  =  F*.  Then  bd^a  is  the  least  fixpoint  of  G  and  fd^a 
is  the  least  fixpoint  of  F.  Since  G(d)  <  F(d)  for  all  d  :  S2  — >  K+,  we  get  by 
monotonicity  of  G  and  F  that  bdaa  <  fd„a-  To  prove  that  fd„a  <  bd^a,  we 
define  for  each  k  €  N 

Fk{d)(s,t)  =  pd(s,t)  LI  sup  inf  sup  ald(ai,pi). 

aePaths(s)P^Paths(t)o<i<k 

We  denote  by  Gk  the  operator  G  iterated  k  times,  i.e.  G°(d)  =  d  and  Gk+1{d)  = 
G(Gk(d)).  We  show  by  induction  that  Fk  <  Gk  for  all  k  >  1.  For  k  =  1,  we  have 
Fi(d)  =  pd  U  d  <  G1(d).  For  k  +  1,  we  have: 

Fk+i{d){s,t) 

=  pd(s,t)  U  sup  inf  sup  a'td(ai,pi) 

aEPaths(s)  p€Paths(t)  0<i<k+l 

=  pd(s,t)  U  sup  sup  inf  inf  sup  (d(s,  t)  LI  at+1d(a'i,  p'fj) 

sfET{s)<7'EPaths(sf)t'^T(t)P'^Paths(tl)0<i<k 

<  pd(s,t)  U  d(s,t)  U  sup  inf  sup  inf  sup  a'+1d(a[,  p'f) 

s'€T(s)t'€T(t)(T’ePaths(s’)Pl€Paths(t')0<i<k 

=  pd(s,t)  U  d(s,t)  U  sup  inf  Fk(d)(s',t') 

s'6r(s)t'eT(t) 

<  pd(s,t)  U  d(s,t)  U  sup  inf  aGk(d)(s' ,t') 

s'  6r(s)  t'ET(t) 

=  Gk+1(d)(s,  t). 

Then, 

F(bdta)  =  lim Fk(bdta)  <  lim Gk(bd?)  =  bd^a. 

k  k 

Together  with  F(d)  >  d  for  all  d,  this  shows  F(bd^a)  =  M^a,  i.e.  bd^a  is  a 
fixpoint  of  F.  Hence,  bd^a  >  fd ^a,  since  fd^a  is  the  least  fixpoint  of  F.  □ 

With  this  result,  we  can  finally  prove  Theorem  18. 
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Proof  of  Theorem  18. 

1.  The  inequalities  follow  from  Lemmas  5  and  6,  and  from  the  monotonic¬ 
ity  of  the  F'f.  Fxa  operators  for  a  £  (0,1]  and  x  £  {a,  s}.  To  see  that 
on  deterministic,  non-boolean  MTSs,  the  linear  distances  between  states 
can  be  strictly  smaller  than  the  corresponding  branching  ones,  consider 
the  MTS  in  Figure  4.  We  assume  that  a  >  a  similar  example  works 
if  a  <  |.  Then  ldaa(s,t )  =  ldsa(s,t )  =  ld^(s,t)  =  ldsa(s,t)  =  \a,  while 
bd^a(s,t)  =  bd^s(s,t)  =  bdAa(s,t)  =  bdAs(s,t)  =  ce2. 

2.  Let  M  =  (S,  t,  S,  [■])  be  a  boolean,  deterministic  MTS,  let  a  £  (0,1]  and 

s,t  £  S.  We  show  that  Id “  =  bdAa.  The  other  cases  are  similar.  By  part  1  of 
this  theorem,  we  know  that  ld%  <  bd^a.  To  prove  that  ldat  >  bd^a,  we  show 
that  HAa(ld a)  =  ,  i.e.  that  Wa  is  a  fixpoint  of  HAa.  As  bdAa  is  the  least 

fixpoint  of  HAa,  we  obtain  Wa  >  bdAa.  First,  we  observe  that 

HAa(ldaa)(s,t)  =  pd(s,t)  U  a  sup  inf  ld^(s',t') 

s'  Et(s)  t1 

=  pd(s,t)  U  a  sup  inf  sup  inf  tda(a',p') 

s'  Et(s)  p  a'  (E  Paths  (s' )  P'  e  Paths  (t‘ ) 

>pd(s,t)Ua  sup  sup  inf  inf  tda(a',p') 

s'eT(s)a'ePat.hs(s’)tl^T(t)Pl^Paths(t') 

=  sup  inf  tda(a,p) 

<j(E  Paths  (s )  p€-Paths(t ) 

=  K(s,t). 

So  HAa{ldaa)(s,t)  >  lda(s,  t).  We  show  that  also  iLAa(/da)(s,  t)  <  ldaa{s,t).  If 
pd(s,  t)  =  1,  then  HAa(ldaa)(s ,  t)  =  ldaa (s,  t )  =  1.  Hence,  assume  pd(s,  t)  =  0. 
We  distinguish  two  cases. 

Case  1:  sups/er(s)  inft/6r(t)  pda(s',  t')  =  1.  Then  one  easily  shows  that 
HAa(ldaa)(s,t)  =  a  =  ldaa(s,t). 


Case  2:  sups,er(s)  inf t'eT(t)Pda{s' ,t')  =0. 

Since  M  is  deterministic  and  boolean,  we  know  that  for  all  s'  £  t(s),  there 
is  a  ts'  £  r(t)  such  that  pda(s' ,  ts')  =  0  and  pda(s' ,t')  =  1  for  t'  ts' .  Then, 
we  have  for  all  s'  £  r(s),t'  £  r(t),t'  -fc  ts> .  a'  £  Paths(s'),  p'  £  Pathsft'), 
and  ps'  £  Paths (t s')  that 

tda(a' , pta,)  <  a  and  tda(a',p')  =  1 

and  therefore 


so 


inf  tda(a',p')  < 

p'  E  Paths  (ts/) 


inf 

p'  E  Paths  (t1) 


tda(a',p') 


inf  tda(a',p')  <  inf  inf  tda(a',p'). 

p'  E  Paths  (ts/)  t' (zr{t)  p' Paths  (t') 


(*) 
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Recalling  that  pd(s,t )  =  0,  we  get 

HAa(ld^x)(s,t)  =  a  sup  inf  sup  inf  tda(a',p') 

s'£t(s)  t'St(t)  ai  £  Paths  (s' )  P1  £P<dhs(t'} 

<a  sup  sup  inf  tda(a',p')  by  (*) 

s'  €t  (s)  ct'  &  Paths  (s')  P'  CiPaths(tsi ) 

<a  sup  sup  inf  inf  tda(a',p') 

s'er(s)  a'EPaths(s')  t'€r(i)  p' €Paths(t') 

=  sup  inf  tda(a,p ) 

aEPaths(s)  p£Path.s(t) 

=  ldl(s,t). 

To  see  that  the  equalities  cannot  be  strengthened  to  equalities,  consider 
a  €  (0, 1].  We  give  the  proof  for  a  >  a  similar  example  works  if  a  <  |. 
Consider  the  MTS  in  Figure  4.  Then  ldxa(s,t)  =  \ a ,  while  bdxa(s,t )  =  a2.  □ 

6  Conclusions 

In  this  paper,  we  have  provided  metric  extensions  of  the  classical  linear  and 
branching  relations:  trace  inclusion,  trace  equivalence,  simulation,  and  bisimu¬ 
lation.  We  remark  that,  while  metric  analogous  of  bisimulation  had  been  known 
for  some  time  [7, 18],  this  is  not  the  case  for  the  other  notions,  which  had  escaped 
attention  thus  far.  We  hope  that  the  introduction  of  these  quantitative  asym¬ 
metrical  and  symmetrical  distances  constitutes  a  useful  step  toward  achieving  a 
quantitative  theory  of  systems,  in  which  the  classical  boolean  setting  of  specifi¬ 
cation  and  verification  is  replaced  by  a  setting  in  which  properties  have  (real¬ 
valued,  or  general)  values,  and  verification  can  yield  not  only  yes/no  answers, 
but  also  measures  of  quality,  adequacy,  and  cost. 

We  have  provided  three  main  classes  of  characterizations  for  linear  and 
branching  distances: 

1.  Distances  as  upper  bounds  for  logic  valuations.  Results  in  this  class  state 
that  the  distances  provide  an  upper  bound  for  the  difference  in  value  of 
formulas  of  linear  (Qltl)  and  branching  (Qmu)  logics.  Results  of  this  type 
are  Theorems  4  and  13. 

2.  Logics  as  full  characterizations  of  distances.  Results  in  this  class  state  that 
the  distances  are  equal  to  the  supremum  of  the  difference  in  value  of  all 
linear,  or  branching  formulas.  Results  of  this  type  are  Theorems  5  and  14. 

3.  Relations  among  distances.  Results  in  this  class  compare  the  value  of  linear 
and  branching  distances;  results  of  this  type  are  Theorems  2,  11,  and  18. 

Results  in  classes  1  and  3  hold  for  general  MTSs,  and  are  thus  particularly 
satisfying.  In  contrast,  as  we  have  seen,  results  in  class  2  hold  only  for  finitely 
branching  MTSs.  Many  MTSs  of  interest  are  not  finite  branching:  for  instance, 
in  a  hybrid  system,  there  can  be  uncountably  many  successors  of  a  state,  corre¬ 
sponding  to  the  real- valued  length  of  time  steps  possible  from  the  state.  It  is  an 
interesting  open  problem  to  investigate  classes  of  MTSs  that  are  more  general 
than  finitely  branching  MTSs,  and  for  which  results  of  class  2  still  hold. 
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